Skip Navigation

October 22, 2024 |

Unmasking Braodo: Inside the operations of a relentless info stealer

By Ryan Slaney

With contributions from Hugh Whitewood and Damon Toumbourou.

Last updated: December 3, 2024

Loading table of contents...

In mid-October 2024, Field Effect detected the execution of discovery commands in a client’s environment and promptly isolated the affected host.  Upon analysis of the relevant telemetry, we learned that the suspicious activity began immediately after the user opened a Windows screensaver file disguised as a PDF by way of a double file extension.

The file was contained in a password-protected ZIP file hosted on a Dropbox URL, which was delivered to the user via a clever phishing email impersonating the TOMS fashion company.

toms

Image 1: Zip file containing lure documents and disguised executable file.

toms2

Image 2: Lure document attached to phishing email.

Upon further analysis, we discovered the anomalous execution of the Python application Pythonw.exe querying Tasklist.exe for currently running instances of Pythonw.exe. This Pythonw.exe process was running with the following arguments:

‘C:\Users\user\AppData\Local\MSApplicationISC9k\pythonw.exe’

‘C:\Users\user\AppData\Local\MSApplicationISC9k\DLLs\rz_317.pd copycoin;’

The ‘rz_317.pd’ file was examined and determined to be a Python script that opens and decrypts the base64 encoded contents of another file called ‘Error_cache.db’.

Despite the threat actor’s attempts to obfuscate the decryption key by providing a decoy key and padding the real one with white space, we were able to decrypt the contents of the Error_cache.db file, which turned out to be another Python script containing descriptive variables and function names that identify it as the Braodo Stealer.

Image 3: Source code of rz_317.pd file showing attempt to obfuscate the AES decryption key.

Information stealing functions

True to its name, the Braodo Stealer is primarily designed to steal credentials, cookies, and credit card numbers stored in browsers, conduct system profiling, and take screenshots.

But that’s just table stakes for any malware that fancies itself an info stealer. When we analyzed this sample, we were more interested in its other functions, such as manipulating TikTok and Facebook ads, stealing and replacing cryptocurrency wallets, and the mechanism it uses to send the data it collects back to the threat actor.

Facebook and TikTok ad manipulation functions

The script contains several functions designed to interact with TikTok and Facebook advertisements in various ways.

Firstly, the script parses cookies retrieved from CocCoc, Edge, Chrome, Opera, Brave, and Firefox browsers. If TikTok or Facebook cookies are found, the script queries the relevant APIs to gather information about the user’s advertisement settings and saves the results to a text file called “TKQC.txt”.

This file, along with other stolen user data, is archived in a ZIP file with the format ‘{MachineInfo.countryCode}_{BotInfo.bot_id}_{datetime.now().strftime(%d-%m-%Y %H-%M-%S)}.zip’ and subsequently exfiltrated.

code2

Image 4: Code snippet for saving Facebook and TikTok cookies.

The script also has a Facebook advertisement collector class called “checkAdsFBClass” that contains functions designed to gather information on both the victim’s business and personal advertisement settings via the following URLs:

  • https://graph.facebook[.]com/v17.0/me/businesses?
  • https://graph.facebook[.]com/v10.0/me/personal_ad_accounts?

The TikTok Ad collector class, called “checkAdsTikTokClass,” is far smaller and functions differently than its Facebook counterpart.

The TikTok component uses the cookies retrieved from the browser in a likely attempt to switch into the victim’s account using the ‘https://ads.tiktok.com/api/v2/i18n/account/account_switch_list’ API. It also collects information from the advertisements, such as ID, name, status, currency, and country, and saves it to the same text file.

Blog-ThreatIntel-SignUp

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.

Sign up

Cryptocurrency wallet replacement

In addition to collecting information from dozens of different browser extensions associated with cryptocurrency, the script also has a class called ‘FuncCopyCoin’ that contains functions responsible for clipboard monitoring and manipulation that target cryptocurrency wallet addresses.

The script uses a regex search to monitor the user’s clipboard for copied wallets associated with nine different cryptocurrencies, including Bitcoin, Ethereum, and Dogecoin. When these are observed, the script automatically captures the user’s legitimate wallet and replaces it with the relevant cryptocurrency wallet specified in the script. This results in the user unintentionally transferring funds to an account under the threat actor’s control, instead of the original wallet.

Because cryptocurrency wallets are usually a long series of seemingly random numbers, users often don’t notice the difference between the intended wallet and the one it was replaced with.

wallet replace code

Image 5: List of regex searches for cryptocurrency wallets and the threat actor-controlled wallets they will be replaced with.

Field Effect analyzed each of the wallets listed in the script and found that they all had $0 balances and no associated transactions, likely indicating that this stealer is yet to be successful in covertly replacing a cryptocurrency wallet.

wallet checker

Image 6: Verification of Bitcoin address showing a $0 balance and no transactions.

Copy of sensitive files

The script has a class called ‘GetDataDocument’ designed to search the user’s Documents and Desktop directories recursively for file names containing ‘.txt’, ‘.doc’, ‘.docx’, ‘key’, ‘wallet’ and ‘seed’.

It then copies these files to the ‘rootPath’ directory at %TEMP%/Public Application[+ 5 random characters]/ in preparation for exfiltration.

This function likely serves to obtain documents that contain details on cryptocurrency accounts, credentials, and other sensitive information the threat actor can use to further exploit the victim.

get senstive files code

Image 7: Specification of file types and directories to copy for subsequent exfiltration.

Persistence

The script uses a combination of startup flags, task scheduling, registry modification, file manipulation, and system adaptation to maintain persistence and stay active over time, relaunching as needed.

Firstly, the script checks whether it should run on startup using the ‘OptionRun.isStartup’ flag. If this flag is True, the script appends _startup to the bot ID, suggesting that the threat actor is attempting to distinguish new communications from persistent communications.

start up code

Image 8: Code snippet showing the run options such as Startup.

The script also creates a scheduled task named ‘Audio Driver Update’ that launches the script whenever the user logs on.

The naming of this task is an obvious attempt to make the malicious script look as benign as possible, especially when combined with its description, ‘Check for updates to the audio driver ‘.

audio driver task

Image 9: Code snippet for creation of Audio Drive Update scheduled task.

Another form of persistence is also established through the creation of a run key, given the generic name ‘Microsoft Service’, in the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run component of the Windows registry.

This run key automatically executes Pythonw.exe from the predefined ‘MachineInfo.pathFolderLocal’ path and with an argument of a file in the ‘{MachineInfo.pathFolderLocal}/DLL/’ folder and ‘copycoin’ if that argument is set.

Image 10 - Code snippet for creation of ‘Microsoft Service’ run key.

Image 10: Code snippet for creation of ‘Microsoft Service’ run key.

When running, the script uses timing functions (time.sleep()) to continuously check and monitor clipboard contents or system events. It also calculates and logs the total execution time if the ‘OptionRun.isCheckTime’ flag is enabled, likely intended as a mechanism for the threat actor to verify how long the script has been running.

The script is designed to run in the background, with functionality like clipboard monitoring happening continuously without user interaction. This "silent" operation increases the likelihood that the script remains unnoticed and continues to run indefinitely unless explicitly detected and stopped.

The script copies an executable file to a temporary folder and attempts to execute it using os.startfile(). By placing copies of itself or associated files in known directories like MachineInfo.temp_folder, it ensures these components are readily available for relaunch or further actions.

After performing certain tasks, the script removes directories (e.g., MachineInfo.rootPath and parts of the Chromium profile), possibly to evade detection by anti-virus software or system administrators. It also attempts to cover its tracks after gathering information or sending it to Telegram, which helps it persist by reducing the likelihood of being flagged as suspicious software.

Execution exception for Vietnam-based victims

The script specifically checks to see if the system's country code is ‘VN’, for Vietnam. If it is, the script sends a phrase to the Telegram bot indicating as much, then exits.

If the country code is not "VN", the script proceeds to establish persistence, clean up certain directories and temporary files, and begin copying cryptocurrency wallet information.

vn country code

Image 11: Code that changes the script's behavior based on the country code of the machine.

This feature suggests that the threat actor is not interested in exploiting Vietnam-based victims. Historically, threat actors use this feature to restrict the exploitation of victims located in their own country to avoid attracting any more attention from law enforcement agencies than necessary.

In some countries, such as Russia, cybercriminals are often allowed to operate as long as they share some of their profits with corrupt law enforcement authorities and avoid targeting users within their own country.

The script also includes several Vietnamese phases that further suggest its authors are located in Vietnam, or at least speak Vietnamese. For example, the script includes a function called lay_chuoi.giua (lấy chuối giữa) which translates to ‘take the middle banana’ and is used to retrieve tokens from the victim’s Facebook Ads Manager profile.

Exfiltration

The script’s primary mechanism of exfiltrating the data it collects is handled by a function called ‘FuncSendTele’. This function packages and sends the data to one of two Telegram bots previously specified in the script via an HTTP Post request to https://api.telegram[.]org, Telegram’s API for managing bots.

Fortunately for us, the script included two cleartext Telegram bot tokens that we could use to query Telegram’s API for more information. This resulted in identifying the username associated with the primary and backup bots as ‘scut6bot’ and ‘check_err_bot’ respectively.

braodo stealer telegram code

Image 12: GET requests to Telegram API returning usernames associated with bot tokens.

telegram profiles

Image 13: Telegram profiles associated with the bot’s usernames.

These tokens also allowed us to query Telegram’s API for any messages the bots may have received from users infected with the Braodo stealer, which could potentially offer valuable insight into the stealer’s victimology.

However, while the queries were successful, no results were returned. This is possibly due to the messages already being viewed and deleted by the threat actor, insufficient permissions, or may also indicate that the stealer has not yet sent exfiltrated data to the bots.

broado stealer telegram code 2

Image 14: GET requests to Telegram API for messages handled by the bots returning no results.

Once we had identified the usernames associated with the bots, and were satisfied there were no messages that could be read by querying them, we reported the bots to Telegram.

Conclusion

In modern cybercrime, information-stealing malware like Braodo is widely used by low- and high-skill threat actors to harvest sensitive information such as login credentials, cryptocurrency wallets, financial data, and other personal details.

They are easily distributed through phishing emails, malicious downloads, fake software updates, and compromised websites. Additionally, they offer a high return on investment as the data they steal are highly valuable on underground markets and can be sold or used for further cyberattacks or identity and financial fraud.

As such, threat actors are unlikely to stop using information-stealing malware anytime soon.

Mitigation

Fortunately, organizations have many options when it comes to mitigating the risk posed by info stealers and other malware, such as the following:

  • Endpoint & network protection and monitoring: Implement, and keep up to date, a cybersecurity solution that monitors for suspicious files, behaviors, and network connections like those identified above. Field Effect MDR for example, can detect suspicious files and automatically block the execution of malicious files such as the one we analyzed. It can also monitor for suspicious network connections like Telegram API, The Onion Router (TOR) sites, non-corporate VPNs, and more.
  • Security awareness training: Often the intuition of a human user serves as the last line of defense between a malicious phishing email and the compromise of an entire network. Thus, organizations must train their employees to recognize and report phishing attempts, such as suspicious emails or links that ask them to download software or provide credentials. Additionally, phishing simulations help employees better recognize malicious attempts by sending realistic, yet benign, phishing emails.
  • Cryptocurrency wallet security: Cold wallets allow users to store their cryptocurrency offline, making it much more difficult for malware, such as an information stealer, to access. Users can also use multi-signature wallets for transactions as these require multiple private keys to sign and authorize transactions. This adds an extra layer of security, even if one key is compromised.

Field Effect recommends adopting the measures above as part of a multi-layered cybersecurity strategy that is audited periodically for efficiency and effectiveness.

Indicators of Compromise

File Name / SHA256:

  • 14A9. Advertising Data_Budget_Service Requests.pdf.scr / 6c0abf91fe5f6621faa7955c454e6ef46ae100ad2f9123166d0fd7f60a86351a
  • Error_cache.db / d627b3f09cdfc31889a80687a0f6ef40f91c74ec067edccdda1964e706f91d30
  • rz_317.pd / 90c73af35f718b2512b01aaa02d95486caa5659b0d1f9bb575ffb01f0d640648

Registry Key / Value

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run / f"\"{os.path.join(MachineInfo.pathFolderLocal,"pythonw.exe")}\" \"{os.path.join(MachineInfo.pathFolderLocal,"DLLs",OptionRun.nameFile)}\"{" copycoin" if OptionRun.isCopyCoin else ""}"


If you have any questions or comments regarding this analysis, please contact us