Threat actors (TAs) predominantly rely on phishing websites as a method to distribute malware. A key tactic involves impersonating well-known brands, especially those associated with essential or security-related applications, to enhance the credibility of their campaigns. They create a false sense of legitimacy by showcasing compatibility with various platforms and mimicking trusted applications. This deceptive approach exploits users’ trust in familiar brands, making it easier for TAs to trick unsuspecting individuals into downloading malicious software. The sophisticated blend of brand impersonation and the appearance of security further reinforces the illusion of authenticity, increasing the chances of successful infiltration.
Recently, CRIL has identified a phishing website aimed at individuals downloading VPN applications for Windows, Linux, and macOS. The TA has created separate stealer binaries for each operating system, using a deceptive site that mimics the legitimate “WarpVPN” service. This phishing site offers detailed installation instructions specific to each platform. Once installed, the stealer extracts various sensitive data from the victim’s machine. It targets cryptocurrency-related browser extensions, standalone crypto wallets, stored browser passwords, browser login data, cookies, SSH keys, macOS passwords, and Keychain. The below image shows the phishing website.
Figure 1 – Phishing site
We have named this stealer “Cheana Stealer,” based on the C&C server name “ganache.live” and TA’s frequent use of the string “ganache” in the stealer’s code.
During our investigation, we discovered a Telegram channel linked to this campaign. The phishing website associated with the campaign is referenced in the channel’s bio. This channel has over 54,000 subscribers and plays a crucial role in the distribution of malicious content. The figure below displays the Telegram channel.
Figure 2 – Telegram Channel
Upon further investigation, we found that this channel has been active since at least 2018, with several profile changes over time, as shown in the figure below. Notably, the phishing site was added to its bio in 2021.
Figure 3 – Telegram Profile Changes
The phishing site has switched registrars’ multiple times, with the most recent change occurring on August 21, 2024. We suspect that the TAs initially provided legitimate services and are now taking advantage of the trust they’ve built to distribute stealer malware. Posts from 2021 indicate that the TAs offered free VPN services individually, as illustrated in the figure below, further supporting this claim.
Figure 4 – Warpvpn Site in 2021
The figure below shows the post made in 2021.
Figure 5 – Telegram post made in 2021
We also observed that a Russian native speaker likely wrote posts made before 2021, while posts from 2021 appear to be auto-translated versions, as shown in the figure below. Interestingly, the phishing domain was also added to the channel’s bio in 2021, suggesting that the operator of the Telegram channel may have changed during that time.
Figure 6 – Comparison between 2019 & 2021 posts
Additionally, in 2021, the channel’s profile photo was updated to an image taken by a Russian YouTuber, as shown in the figure below. Moreover, upon investigating the contact person mentioned in the channel, we discovered that they have a history of frequent interactions with Arabic speakers. This further suggests that the channel’s operator might be from a different origin, attempting to pose as a Russian individual.
Figure 7 – Telegram Channel Icon
In this campaign, the TAs set up a phishing site that impersonates a legitimate VPN service, offering detailed installation instructions for Windows, Linux, and macOS. The initial infection occurs when users follow the phishing site’s instructions, which involve copying and pasting platform-specific commands into their systems. Each set of commands—tailored for Windows, macOS, and Linux—ensures the malicious code is executed correctly on the respective operating system.
In this section, we will examine how TA steals sensitive information across different platforms, focusing on both common techniques and platform-specific approaches.
For Windows, the TA utilizes PowerShell commands to carry out the attack. They use ‘Invoke-WebRequest’ to download the “install.bat” file from “hxxps://warpvpn[.]net”. Following the download, ‘Start-Process’ command is used to launch a new instance of ‘cmd.exe’, passing ‘install.bat’ as an argument to execute the batch file. This method ensures the ‘install.bat’ script is run seamlessly as part of the attack. As shown in the image below, the TA instructs users to copy and paste commands intended for PowerShell into the Command Prompt. These commands will not work properly in the Command Prompt and will only execute correctly within a PowerShell environment.
Figure 8 – installation instructions for windows
The “install.bat” script performs the following things:
The below figure shows the content of the install.bat.
Figure 9 – Content of Install.bat
The malicious python package “hclockify-win” contains scripts to orchestrate sensitive information collection and exfiltration by calling various modules. These modules target cryptocurrency browser extensions, Crypto Wallets, and Stored Browser passwords.
Targeting Browser Extensions
The Python package “hclockify-win” includes a module named “ganache.helperwd” that scans multiple Chromium-based browsers, including Chrome, Brave, Opera, and Microsoft Edge, for cryptocurrency wallet extensions such as Trust Wallet, TronLink, Coinbase, Exodus, Crypto.com, Nami, and Solana. Once these extensions are detected, the module compresses their folders into a zip file and sends the data to the TAs command and control (C&C) server through a POST request, as illustrated in the figure below.
Figure 10 – Targets Browser Extension
By targeting these extensions, the TAs aim to steal cryptocurrency wallet data, including private keys, recovery phrases, and transaction details. This could potentially allow the TAs to gain unauthorized access to the victim’s digital assets. The stolen information can be further exploited or sold on cybercrime forums.
After scanning multiple browsers for cryptocurrency wallet extensions, the module proceeds to search through all Firefox profiles. It targets the prefs.js file to identify the unique ID linked to MetaMask by searching for [email protected]. Once the unique ID is identified, the module uses it to locate MetaMask’s backend data file present in the location “b0kwoimz.default-release\storage\default\moz-extension+++7f784e52-eabb-4316-8e36-850ac47f0760^userContextId=4294967295”.
The script then compresses this data into a zip file and transmits it to the TAs server via a POST request, maintaining the continuity of the data exfiltration process.
Figure 11 – Targets Firefox’s MetaMask extension
The malicious Python module then searches for cryptocurrency wallets installed on the system, identifying the installation directories for well-known crypto wallets such as Bitcoin, Monero, and Dashcore. After locating these directories, the content of these wallets is compressed into a zip file and subsequently uploaded to the TAs command and control (C&C) server through a POST request, as shown in the figure below.
Figure 12 – Targets Crypto Wallets
Additionally, the malicious Python module targets browser passwords stored in an SQLite database called “Login Data.” For Chromium-based browsers, the script first enumerates and retrieves the names of all files within the “Browser-name\User Data\” directory. It specifically looks for the “Local State” file, which holds the encrypted key necessary for decryption. The script then utilizes the “CryptUnprotectData()” function to decrypt this key. With the decrypted key, the script can subsequently decrypt the “Login Data” file, which contains all user credentials. This process allows the attackers to access and exfiltrate saved passwords from the targeted browsers.
Figure 13 – Targets Browsers Password
For non-Chromium-based browsers like Firefox, the TA employs a module called “ganache.fflg” which is capable of extracting credentials across different platforms, including Windows, Linux, and Mac. In our scenario, the focus is on Windows. The module systematically iterates through all Firefox profiles to collect key files such as “prefs.js”, “logins.json”, and, as a fallback for older versions, “signons.sqlite”. It then leverages the Network Security Services (NSS) library nss3.dll to decrypt and extract the browser credentials in plain text. Once decrypted, the decrypted credentials are exfiltrated from the victim’s machine to the TAs command and control (C&C) server.
Figure 14 – Targeting Firefox browser
Figure 15 – nss utility for credential decryption
For Linux, the TA crafted a curl command to download the “install-linux.sh” script from ‘hxxps://warpvpn.net’ as shown in the below figure.
Figure 16 – Installation instruction for Linux
The script “install-linux.sh” first attempts to retrieve a unique ID from the
“warpvpn” configuration file located at “~/HOME/.config/warpvpn”. If this file is missing, the script sends a POST request to the server containing the victim’s username, operating system, and the phishing source in order to obtain a unique ID. This ID is then used in all subsequent POST requests, along with the stolen data from the victim’s machine.
Figure 17 – Unique ID
The “install-linux.sh” script is divided into two main components: a stealer that gathers sensitive browser information and a cryptocurrency stealer, along with a function designed to mimic the legitimate Cloudflare Warp application installer.
This Linux module mirrors the Python-based stealing activities observed on Windows systems, targeting browser extensions and cryptocurrency wallets, including Bitcoin and Monero. However, on Linux, the script introduces some notable variations. The bash script is designed to steal Login Data and Cookies files from the victim’s machine and exfiltrate them to C&C server. Furthermore, the script searches for and uploads SSH keys from the “/.ssh” folder, as depicted in the figure below. This comprehensive approach significantly boosts the attacker’s ability to gain and maintain unauthorized access to the compromised system.
Figure 18 – content of install-linux.sh
For MacOS, the TA provides similar curl command to download “install.sh” and using default shell “sh” to execute the downloaded script.
Figure 19 – Install instruction for MacOS
The script tricks the user into entering their credentials by mimicking a standard system prompt that typically appears during a new application installation, making it appear as a legitimate request. After the user enters their password, the script uses the ‘dscl . -authonly’ command to validate the credentials. If the validation is successful and no errors occur, the credentials, along with data from the “/Library/Keychains” folder, are sent to the attacker’s command and control (C&C) server through a ‘curl’ POST request. If the validation fails, the script repeatedly prompts the user to re-enter their credentials, continuing this process until it succeeds.
Figure 20 – MacOS password exfiltration
The TA aimed to gather information similar to what was observed in previous Linux cases. However, there are notable differences in the scope of the attack. In addition to targeting common cryptocurrency wallets like Bitcoin and Monero, the TA also focuses on a broader range of crypto wallets, including Electrum, Exodus, DashCore, and Guarda. Furthermore, the script searches for and exfiltrates saved SSH keys from the `/.ssh` folder.
Figure 21 – install.sh (Crypto wallet exfiltration)
During the theft operation, the TA employs a deceptive tactic by displaying a fake “in-progress” message.After successfully exfiltrating the data, the script proceeds to download and install the genuine Cloudflare Warp application on the victim’s machine, as shown in the figure below.
Figure 22 – Fake Message and Legitimate VPN Installation
Before the exfiltration process, the TA archives the stolen files into ZIP files, ensuring they are organized by data type with distinct archive names for each category. These archives are then transmitted to the attacker’s Command and Control (C&C) server via a POST request to “hxxps://ganache.live/api/v1/attachment”. The communication occurs over port 443, allowing the data to be sent securely under the guise of legitimate HTTPS traffic.
Figure 23 – Exfiltration over HTTPS
The TA utilizes a Django Rest Framework-based interface to manage and view the exfiltrated data. This setup provides them with a structured and accessible way to organize and analyze the stolen information, ensuring efficient exploitation of the compromised data.
Figure 24 – attacker’s login
This phishing campaign masquerades as a trustworthy VPN provider. This campaign is spreading from a Telegram channel, carefully cultivating user confidence over time before pivoting to malicious objectives. This Telegram channel boasts over 54,000 subscribers, which has been operational since 2018 and is believed to have undergone a change in operators in 2021.
The campaign’s reach is underscored by its targeting of multiple platforms—Windows, Linux, and macOS—demonstrating a comprehensive approach to malware distribution. By creating distinct malicious scripts tailored for each operating system, the attackers ensure that their payloads are effectively executed across different environments. This multi-platform strategy allows the phishing operation to maximize its reach and impact, compromising a wide array of systems and harvesting sensitive information from a diverse user base.
Tactic | Technique | Procedure |
Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via VPN phishing sites. |
Execution (TA0002) | Windows Command Shell (T1059.003) | cmd.exe is used to run commands |
Execution (TA0002) | PowerShell (T1059.001) | Invoke-WebRequest is used for downloading batch files |
Execution (TA0002) | Python (T1059.006) | Python stealer is used for targeting windows users |
Execution (TA0002) | User Execution (T1204) | User is instructed to execute the commands |
Credential Access (TA0006) | Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | Retrieves passwords from Login Data |
Credential Access (TA0006) | Credentials from Password Stores: Keychain (T1555.001) | Attempts to exfiltrate Keychains from MacOS system |
Credential Access (TA0006) | Steal Web Session Cookie (T1539) | Steals browser cookies |
Collection (TA0009), Credential Access (TA0006) | Input Capture: GUI Input Capture (T1056.002) | Shows command window to enter password on MacOS |
Credential Access (TA0006) | Unsecured Credentials: Private Keys (T1552.004) | Tried to exfiltrate ssh keys |
Collection (TA0009) | Archive via Utility (T1560.001) | Zip utility is used to compress the data before exfiltration |
Collection (TA0009) | Archive via Library (T1560.002) | Zip library is used to compress the data before exfiltration |
Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | Exfiltration Over C2 Channel |
Indicators | Indicator Type | Description |
70f08497d7a9e6a8e5f2dd3683a20563d20668e1c78df636ff1e36a014c9d493 | SHA-256 | install-linux.sh |
acf807def82c4b56752a9fa9b081dbb37ba9cc9f6e1c522568ff502b6b49b6db | SHA-256 | install.bat |
48964c11fcbefd6508164239866c94b55ca2798e9745671c37447ad0a6f3e1c4 | SHA-256 | install.sh |
d3ece8616d0dd8244666af574cc2475d947180ed240f49b1a6e61443a896f65d | SHA-256 | main.zip |
3ef838502663c167f5c502585e810ffae3e03152b3f82544b813389c19a33dce | SHA-256 | main.py |
ac4aeab3952f6ca960cbd48c3123f09a68f50818f9bdf35c9d811570893fa102 | SHA-256 | fflg.py |
6a68e95ae67aa8c61bd74ecf5f57f98fbdc0bbe0489ae71b7c8732edf49ac3a9 | SHA-256 | helperwd.py |
c044b1a36249f6fe7219e6c48270d9927bf359110ff3583129dcbdff809f2d2d | SHA-256 | utils.py |
ba8058b704a55e50c24383a765fd74b38d7dbbf8546c4f179266c265403174b8 | SHA-256 | Warpvpn.zip |
warpvpn.net | Domain | Phishing site |
hxxps://ganache.live | Domain | C&C |