The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

PennyWise Infostealer Targets Crypto and Browsers

Jul 28, 2022 9:21:07 AM / by PolySwarm Tech Team

pennywise_Blog

Executive Summary

Cyble recently reported on PennyWise, an infostealer targeting crypto and browsers. PennyWise uses YouTube videos to bait victims into installing what they believe to be Bitcoin mining software.

Key Takeaways

  • PennyWise is a recently discovered infostealer.
  • It targets over 30 browsers and cryptocurrency applications.
  • Threat actors use YouTube videos to bait victims into installing what they believe to be Bitcoin mining software.
What is PennyWise?

PennyWise is an infostealer recently discovered by researchers at Cyble. It targets over 30 browsers and cryptocurrency applications, such as crypto wallets and crypto browser extensions. Browsers targeted include over 30 Chrome-based browsers, more than 5 Mozilla-based browsers, Opera, and Microsoft Edge. Wallets targeted include Zcash, Armory, Bytecoin, Jaxx, Ethereum, Exodus, Electreum, Atomic Wallet, Guarda, and Coinomi. PennyWise is built using a previously undiscovered crypter, making debugging difficult. PennyWise leverages multithreading to steal data, using over 10 threads for fast execution and stealing.

While Cyble did not identify the threat actor responsible for PennyWise, they did discover the initial infection vector used to spread the malware. PennyWise is promoted as a free Bitcoin mining software, using a YouTube video with a download link. An unaware victim downloads the “software”, which is a zipped and passworded malware installer. The threat actors staged a VirusTotal link of an unrelated sample to trick victims into believing the file is legitimate and tricked users into disabling antivirus software to install and execute the malware. Cyble found over 80 YouTube videos used to promote PennyWise.

Once executed, the loader uses process hollowing to inject PennyWise into a legitimate .NET binary named “AppLaunch.exe,” which is the PennyWise payload. PennyWise creates a mutex to ensure only one copy runs on a victim’s machine and terminates if the mutex already exists.

PennyWise steals and exfiltrates data to the threat actor’s C2. This data includes the victim’s username, machine name, system language, timezone, graphics driver, and processor names. It uses the following syntax to create a string to generate an MD5 hash:

mutex_name-Username-Machine_Name-Loanguage_code-Processor_name-Graphics_Driver_Name

The generated hash value is used to name a folder with hidden attributes created in AppData\Local to save the stolen information. It is interesting to note that the malware terminates execution if the victim is based in Russia, Ukraine, Belarus, or Kazakhstan.

PennyWise also uses multiple methods for anti-analysis and anti-detection, so the malware is not executed in a controlled environment. This includes detection of virtual machines and checking for antivirus and sandbox environments. It also terminates if any of the following processes are detected:
  • processhacker
  • netstat
  • netmon
  • tcpview
  • wireshark
  • filemon
  • regmon
  • cain
  • httpanalyzerstdv7
  • fiddler
  • fiddler everywhere
  • httpdebuggersvc
PennyWise then decrypts two strings that were encrypted using the Rijndael algorithm, possibly containing the threat actor’s username and C2 information. Next, the malware creates a folder under the previously created folder using the following format:

UserName@MachineName_Loanguage_code_Year_Month_Date_Hour_Minute_Second@StealerVersion

PennyWise leverages multithreading to steal victim data, with each thread used for a different operation. Operations include stealing victim files, harvesting browser data, stealing data from crypto extensions, stealing chat session data, and taking screenshots. Stolen files are limited to a 20KB file size and only files with RTF,  Doc,  Docx,  txt, and JSON extensions are targeted.

IOCs

PolySwarm has multiple samples of PennyWise.

5b11938d67a8a0c629bf4ec1f8b77c6ba0910546984d4d983f43a25d4e7b72ac

0eb43cef2e674aa72b24cccd36b349ce0e4eb347c0fbf373bc53c97713e8e94f

C5e9d0aa26ca6255559708bcf957d79e3adb4d2b08146cd765182f7b834227f4

01c83c32ab5c2f0fda5c04aee7b02dc30d59c91c1db70e168a6cc1215cc53ab7

Bc709e3aea5732c3d07c7f59ea22f8a5c026e45558d0e2aa3fb35ac78f39d9f4

6dbeb13c7efbd62561bf2fea3b1e3d36021e701b80a993e28498182d0884ce6f

Bf46b901e1899533629b751f28bd4adab3f11f0ddf8b509c9f90af25a1a73b5b

05854ea1958ef0969a2c717ce6cb0c67cd3bcd327badac6aa7925d95a0b11232

e43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0

You can use the following CLI command to search for all PennyWise samples in our portal:

$ polyswarm link list -f PennyWise


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Infostealer, Cryptocurrency, PennyWise, YouTube

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts