/KSGrabber-MalwareAnalysis

My analysis of the malware known as "KSGrabber"

Primary LanguageJavaScript

KSGrabber malware analysis

This is my rebuild and analysis of the malware known as "KSGrabber", It was mostly written by Stanley-GF. This malware stole numerous accounts on, before and after September 3rd 2021. As far as I'm concerned, Stanley isn't the attacker or to blame so don't harass him; he only releases code for educational reasons as most do.

The code analysis is already complete and the project is fully documented. However, This is my in depth explanation on how this piece of malware works and the timeline in which the events took place.

This piece of malware is pretty rudimentary and for as invasive as it is, it's fairly non invasive at the same time. By this I mean that this piece of malware is only there to collect data and cover it's tracks as best as it can. Though, this is very much an oxymoron as it's also a worm.

From what I've found, this malware is here to steal as much data as possible from the user as well as steal the user's discord account if it has specific badges. In particular, I was informed the following by a victim whom had spoken with the attacker as well as by Johnny who was given his account back by the person who bought it. The attacker is stealing any account that has the badge "Early Supporter". Judging by the javascript I was able to read, it appears this is done autonomously by the code that gets written to discord's folder. However, it is to note that I'm not completely sure how the malicious javascript payload works fully yet; all I know now is that it's able to be ran multiple times. The code was far too obfuscated for me to manually deobfuscate; after many different attempts, I could only get it partly readable utilizing multiple deobfuscators. As it should also be noted, I confidently believe that my flowchart is as 1:1 to the order in which the code is executed. Although, it appears as the automation if there is any for purchasing nitro isn't functioning. One victim didn't have any nitro purchases even though the account was completely compromised.

The malware takes many pieces of code from Stanly-GF and NightFallGT's stealer repos. As well aswhat seems to be a stealer called "Kief Grabber". This appears to be used in the backend to collect the anonfiles links as well as any error reporting. Overall this is a conglomeration of many different pieces of different steelers, which made me misname it multiple times in my initial thread.

Below are the different repos that it utilizes for malicious purposes

Timeline (WIP)

  • 9/3/2021

    Potential Second generation victim posts about infection

  • 9/4/2021

    Potential Second generation victim JohnnyBulletSeeds posted to instagram that he was hacked

    8:58pm EST I messaged Johnny asking for the files

    9:45pm EST Johnny sent me the files and I started my analysis

    Initial brief analysis was constructed on twitter across the span of 3 hours to assess the
    damage and construct preventative measures to secure any stolen data.

  • 9/7/2021

    JohnnyBulletSeeds' account was given back by someone who bought it

    10:04pm EST Johnny gives me a link to a new file that the attacker sent on his account.
    Currently pending investigation, appears to be malware but is very obfuscated and packed.

  • 9/11/2021

    A new strain was given to me to be analyzed; found only that only a few lines of code changed
    regarding the webhook and that was it.

  • 9/13/2021

    Author of malware, Stanly-GF opens an issue on repo, more information on how the malware
    works is uncovered thanks to bytixo

Features

  • Discord token stealer
  • Discord Injection
  • Chrome/Firefox/Edge cookie stealer
  • Chrome/Microsoft Edge password stealer
  • Minecraft account stealer
  • Network stealer
  • User information stealer

Features overview*

Feature Description
Token Stealer If the victim is logged into discord via web or desktop it looks
in the local storage of the browser/application for the Discord
token.
Discord injector Injects malicious javascript into discord folder in order to spread the
malware as well as check if the user has certain badges, nitro or a
card connected. If certain conditions are true it will attempt to
change the email and password.
Cookie Stealer Checks all paths to see if any supported browsers are installed,
any and all cookies provided by websites are stolen.
Password Stealer Checks Edge and Chrome's stored website credentials, if any
are found it will steal the URL, Username or Email and Password.
Minecraft Stealer Any accounts logged into minecraft get their session token stolen.
Network Stealer Utilizes windows API calls to steal the SSID and Password of any
and all past or present WIFI connections.
User Info Stealer Steals basic information about the user. Username, Computer
name, User's domain name, WAN IP, Hostname and current
directory the malware is located in.
Screen Capture Takes a screenshot of every monitor

*only applies if the program is downloaded/you are logged in

Life cycle of the worm

This flowchart breaks down how every feature works, as well as the order they go in. If you'd like
more information regarding how each specific feature works, open one of the links above or
read through the entire code, everything is documented.

Conclusion and resolution

Conclusion

For those that have been unfortunate enough to have fallen victim to this malware, this is a very lucky
learning experience. I say this because for the most part you'll come out relatively unscathed, perhaps
missing a discord account or with a frozen bank account. However, as for how your computer stands
it is completely uninfected and safe to use again. My advice is, if you're going to download a file from
a friend, even if it's someone you whole heartedly trust, to scan it on virustotal. You may never know
who is behind the screen sending it, if it's a person at all; their account very well could be compromised.
This isn't to say to never trust your friends, but rather to be cautious when it comes to downloading strange
files on the internet regardless of where they come from. Finally, I highly discourage the usage of the
"Save Password" function built into browsers, it is incredibly easy to steal credentials that way if your
computer ever becomes compromised. If you have a bad memory and want to avoid repeating
passwords, I suggest using a password locker like lastpass or similar.

Resolution

For those who may have stumbled upon this after just being infected, my advice stays the same as before.
However I will re-iterate myself:

  1. Remove the malicious javascript through option A or B

    A)

    1. Locate your discord
    2. Navigate to: app-1.0.9002\modules\discord_desktop_core-3\discord_desktop_core or similar
    3. Delete PirateStealerBTW folder
    4. Replace contents of index.js with module.exports = require('./core.asar');
    5. Restart discord
    6. Change discord password

    B)

    1. Re-install discord completely
    1. Verify the PirateStealerFoler is gone and your index.js only has one line
    2. Change your discord password
  2. For any critical accounts(banking/paypal), change your passwords

    Prioritize the most important accounts as the tokens may have been compromised when your
    cookies were stolen. They could be compromised as well from the credentials being stolen from
    Edge or Chrome if you click the "Save password" pop up.

  3. Launch minecraft again to make the current session token expire

  4. Never repeat the same password

    After an attack like this, it's the perfect time to start using more complex, unique passwords
    I highly suggest using a password locker like I mentioned earlier to ease yourself into this process.
    you will not want to re-use any of the passwords that may have been compromised in the attack.