create xclient stealer osquery

Cisco-Talos · Apr 2, 2024 · 4fcacb1 · 4fcacb1
1 parent d2e7f14
commit 4fcacb1
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -1144,6 +1144,15 @@
                 "windows"
             ]
         },
+        "malware_xclient_stealer_file_artifact": {
+            "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE f.directory LIKE '\\Users\\%\\AppData\\Local\\%\\%\\User Data\\%%' AND LOWER(f.filename) IN ('login data_coppy', 'cookies_coppy','web data_coppy')",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "XClient stealer is an information stealer known for stealing victims' credentials, browser data, and social media accounts. It targets Chrome, Microsoft Edge, Opera, Brave, CocCoc, and Firefox and copies browser data files such as cookies, web data, and login data to prepare them for extraction. XClient stealer is known to be used as a final payload by the threat actor CoralRaider.",
+            "platform": [
+                "windows"
+            ]
+        },
         "malware_sidecopy_filebrowser_path": {
             "query": "SELECT f.path, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time,  DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified,  DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time,  DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE (f.path LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\__\\ulog.txt' OR f.path LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\__\\%_di_output.txt')\n",
             "interval": 86400,

diff --git a/win_malware/malware_xclient_stealer_file_artifact.yaml b/win_malware/malware_xclient_stealer_file_artifact.yaml
@@ -0,0 +1,24 @@
+XClient Stealer File Artifact:
+  query: SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size,
+    DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time,
+    DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified,
+    DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time,
+    DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type
+    FROM file f LEFT JOIN hash h ON f.path=h.path
+    WHERE f.directory LIKE '\Users\%\AppData\Local\%\%\User Data\%%'
+    AND LOWER(f.filename) IN ('login data_coppy', 'cookies_coppy','web data_coppy')
+  interval: 86400
+  snapshot: true
+  description: XClient stealer is an information stealer known for stealing victims'
+    credentials, browser data, and social media accounts. It targets Chrome, Microsoft
+    Edge, Opera, Brave, CocCoc, and Firefox and copies browser data files such as
+    cookies, web data, and login data to prepare them for extraction. XClient stealer
+    is known to be used as a final payload by the threat actor CoralRaider.
+  references:
+  - 4dc9fe269cd668894c7ea4dd797cba1d2a8df565e9bdd814e969247c94b39643
+  mitre_tactics:
+  - Collection: TA0009
+  mitre_techniques:
+  - Local Data Staging: T1074.001
+  platform:
+  - windows