sha1:
- daf7bf74dc54b8eb98be2f140c82c4ae1ea1f10e (profapi.dll)
Description
A malicious program written in C++ and a component of the Trojan.Scavenger family. It is a dynamic library whose main function is to steal user data from the Exodus crypto wallet app.
Operating routine
Trojan.Scavenger.4 is downloaded into the infected system by another trojan from the same family. It is saved as the file profapi.dll in the Exodus software directory and launched as a component of this crypto wallet by exploiting the DLL Search Order Hijacking vulnerability.
Checking the running environment
When launched, Trojan.Scavenger.4 performs an environment check, which is standard for this family. If it detects signs that it is being launched in a virtual environment or debug mode, it stops working.
Hooking the function v8::String::NewFromUtf8
The trojan obtains the list of modules loaded into the process through the list PEB->LDR->InMemoryOrderModuleList and searches for the function
?NewFromUtf8@String@v8@SA?AV?$MaybeLocal@VString@v8@2@PEAVIsolate@2@PEBDW4NewStringType@2@H@Z among the export functions of these modules. This particular function is part of the V8 engine for operating with JavaScript and WebAssembly; all the lines used in the code are generated through it.
By hooking this function, Trojan.Scavenger.4 is able to monitor all JSONs generated by the target app and obtain various user data. In this particular case the trojan searches for a JSON with the key passphrase and then reads its value. As a result, it obtains from the crypto wallet the user’s mnemonic phrase that can decrypt or generate a private key.
After getting the mnemonic phrase, the trojan forms a path to the wallet’s private key and reads it:
%USERPROFILE%\AppData\Roaming\Exodus\exodus.wallet\seed.secoNext, it sends the collected crypto wallet-related user data to the C2 server.
Sending data to the C2 server
Prior to sending the data to the C2 server, Trojan.Scavenger.4 performs the encryption key creation-and-check procedure that is standard to most of the trojans from the same family. After that, the route /c/x is used to send the data.
Request with the route /c/x
Collected user data is sent to the C2 server in two stages. The request has the parameter i, which is responsible for the current stage.
Request parameter /c/x?i=1
In this request, the trojan generates the string %USERNAME%|<passphrase>, which is then encrypted with the XXTEA algorithm and base64, and then sent to the C2 server. In response, the server sends the identifier id that will be used at the second stage.
Request parameter /c/x?i=2
The trojan sends the crypto wallet’s private key (a file seed.seco). The parameter id, which the trojan received in the server’s response during the first stage, is added to this request.
More about Trojan.Scavenger.2
News about the trojan
Indicators of compromise
