Cyble recently reported on PennyWise, an infostealer targeting crypto and browsers. PennyWise uses YouTube videos to bait victims into installing what they believe to be Bitcoin mining software.
- PennyWise is a recently discovered infostealer.
- It targets over 30 browsers and cryptocurrency applications.
- Threat actors use YouTube videos to bait victims into installing what they believe to be Bitcoin mining software.
PennyWise is an infostealer recently discovered by researchers at Cyble. It targets over 30 browsers and cryptocurrency applications, such as crypto wallets and crypto browser extensions. Browsers targeted include over 30 Chrome-based browsers, more than 5 Mozilla-based browsers, Opera, and Microsoft Edge. Wallets targeted include Zcash, Armory, Bytecoin, Jaxx, Ethereum, Exodus, Electreum, Atomic Wallet, Guarda, and Coinomi. PennyWise is built using a previously undiscovered crypter, making debugging difficult. PennyWise leverages multithreading to steal data, using over 10 threads for fast execution and stealing.
While Cyble did not identify the threat actor responsible for PennyWise, they did discover the initial infection vector used to spread the malware. PennyWise is promoted as a free Bitcoin mining software, using a YouTube video with a download link. An unaware victim downloads the “software”, which is a zipped and passworded malware installer. The threat actors staged a VirusTotal link of an unrelated sample to trick victims into believing the file is legitimate and tricked users into disabling antivirus software to install and execute the malware. Cyble found over 80 YouTube videos used to promote PennyWise.
Once executed, the loader uses process hollowing to inject PennyWise into a legitimate .NET binary named “AppLaunch.exe,” which is the PennyWise payload. PennyWise creates a mutex to ensure only one copy runs on a victim’s machine and terminates if the mutex already exists.
PennyWise steals and exfiltrates data to the threat actor’s C2. This data includes the victim’s username, machine name, system language, timezone, graphics driver, and processor names. It uses the following syntax to create a string to generate an MD5 hash:
The generated hash value is used to name a folder with hidden attributes created in AppData\Local to save the stolen information. It is interesting to note that the malware terminates execution if the victim is based in Russia, Ukraine, Belarus, or Kazakhstan.
PennyWise also uses multiple methods for anti-analysis and anti-detection, so the malware is not executed in a controlled environment. This includes detection of virtual machines and checking for antivirus and sandbox environments. It also terminates if any of the following processes are detected:
- fiddler everywhere
PennyWise leverages multithreading to steal victim data, with each thread used for a different operation. Operations include stealing victim files, harvesting browser data, stealing data from crypto extensions, stealing chat session data, and taking screenshots. Stolen files are limited to a 20KB file size and only files with RTF, Doc, Docx, txt, and JSON extensions are targeted.
PolySwarm has multiple samples of PennyWise.
You can use the following CLI command to search for all PennyWise samples in our portal:
$ polyswarm link list -f PennyWise
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports