In this post is about World Wind Stealer 2023 first appeared within the cyber risk panorama in April 2020. within the new variations of the malware Stealing information is fundamental to cybercriminals today to scope and benefit access to systems.

profile companies, and execute World Wind Stealer:

larger payday schemes like ransomware. facts stealer malware families along with Prynt Stealer are regularly configured thru a builder to facilitate the system for less state-of-the-art hazard actors. however, Zscaler ThreatLabz researchers have exposed the Prynt Stealer builder, also attributed with World Wind Stealer.

DarkEye, has a secret backdoor within the code that finally ends up in each spinoff replica and variant of these malware families. The backdoor sends copies of victims’ exfiltrated records gathered with the aid of other danger actors to a non-public Telegram chat monitored by way of the builder’s builders.

while this untrustworthy conduct is World Wind Stealer:

nothing new within the world of cybercrime, the victims’ statistics turn out to be within the hands of more than one chance actors, growing the dangers of 1 or more massive scale assaults to comply with.

Key points Prynt Stealer is an facts stealer that has the potential to capture credentials that are saved on a compromised device which includes net browsers, VPN/FTP customers, as well as messaging and gaming programs
The Prynt Stealer developer primarily based the malware code on open supply projects which includes AsyncRAT and StormKitty
Prynt Stealer uses Telegram to exfiltrate records this is stolen from victims World Wind Stealer.

The Prynt Stealer malware author added a backdoor Telegram channel to acquire the information stolen via different criminals
The informational stealer malware families referred to as DarkEye and are near identical to Prynt Stealer World Wind Stealer.

Prynt Stealer is a distinctly new facts stealer malware family this is written in .internet. The malware has previously been analyzed in-intensity consisting of the information harvesting competencies and the targeted packages. Zscaler ThreatLabz has since exposed extra information about the malware inclusive of the codebase being derived from at least two different open source malware households: AsyncRAT and StormKitty. This weblog will attention on these shared codebases,World Wind Stealer  the modifications brought by way of the Prynt Stealer writer (which includes a backdoor), and the very close relationship with WorldWind and DarkEye.

Prynt Stealer Origins
Prynt Stealer is not simply inspired from open supply malware families, but shares code that appears to have been without delay copy and pasted from these repositories. Many parts of the Prynt Stealer code that have been borrowed from other malware households are not used, however are nevertheless present inside the binary as dead unreachable code. The Prynt Stealer code is normally derived from AsyncRAT (a flexible RAT) and StormKitty (an statistics stealer). The AsyncRAT code is used as the main module with a changed access point that calls the StormKitty stealer technique. Prynt Stealer executables are configured using a builder that has no alternatives to alter the embedded World Wind Stealer.

World Wind Stealer components, that are pre-configured frequently simply to run the StormKitty stealer module. most of AsyncRAT’s capability in Prynt Stealer is disabled and the command-and-control (C&C) URLs are configured to 127.0.0.1. whilst the AsyncRAT’s network thing of Prynt Stealer is disabled, the malware includes the following embedded certificates shown beneath:

“issuer”: “CN=World Wind Stealer Stealer”,
“concern”: “CN=World Wind Stealer Stealer”,
“to_date”: “9999-12-31T23:fifty nine:59”,
“model”: “v3”,
“from_date”: “2021-07-13T04:fifty one:06”,
“serial_number”: 852016614067188563094399707801818649

observe that the not unusual call for this certificates is WorldWind Stealer, which is also sold via the Prynt Stealer malware creator.

Async RAT/Storm Kitty Code evaluation World Wind Stealer:

The Prynt Stealer author introduced two new fields (highlighted in parent 1) to the AsyncRAT configuration codebase for statistics exfiltration through Telegram.

Prynt Stealer configuration vs AsyncRAT configuration

determine 1: side-with the aid of-side contrast of a Prynt Stealer configuration (left) with an original AsyncRAT configuration (proper)

the main code chargeable for sending statistics to Telegram is copied from StormKitty with a few minor changes in textual content as shown in discern 2.

facet-by means of-side assessment of Prynt Stealer’s World Wind Stealer. with StormKitty’s SendSystemInfo feature

discern 2: side-by-side comparison of Prynt Stealer’s UploadFile with StormKitty’s SendSystemInfo characteristic

the main distinction is the sector names and order have modified, and a discipline associated with detecting porn websites is lacking from Prynt.

A detailed take a look at Prynt Stealer changes World Wind Stealer:

Anti-Detection strategies
Prynt Stealer does no longer use the anti-evaluation code from both AsyncRAT or StormKitty with one exception: the malware creates a thread that invokes the feature named processChecker (shown in figure three) in AsyncRAT’s static constructor. The thread execution is started out at the stop of the principle feature after stolen logs are sent.

Prynt Stealer process checker thread

figure three: Prynt Stealer method checker thread’s code

Prynt Stealer uses this thread to continuously screen the sufferer’s method listing. If any of the following processes are detected, the malware will block the Telegram C&C conversation channels:

taskmgr
processhacker
netstat
netmon
tcpview
wireshark
filemon
regmon World Wind Stealer
cain

Telegram Command Thread World Wind Stealer:

Prynt Stealer creates a thread with a purpose to poll for a report to down load the usage of the Telegram getUpdates API as proven in determine 4. Of be aware, this down load command simplest saves the document on the goal machine and does now not take any further movements that is probably expected like executing a second-level payload or updating the malware.

Prynt Stealer Telegram download command

discern four: Prynt Stealer Telegram download command World Wind Stealer.

Crowdsourcing Stolen Logs
Prynt Stealer steals facts from a big range of packages, and the statistics is despatched to a Telegram channel this is configured using the builder proven in determine five.

Prynt Stealer builder

parent five: Prynt Stealer builder World Wind Stealer.

The Prynt Stealer logs are despatched to the operator’s Telegram. however, there’s a seize: a copy of the log files is likewise sent to a Telegram chat presumably embedded with the aid of the Prynt Stealer creator as shown underneath in figure 6.

Prynt Stealer backdoor sending log documents to 2 specific Telegram chats

figure 6: Prynt Stealer backdoor sending log documents to two specific Telegram chats

ThreatLabz has observed similar approaches hired with the aid of malware authors within the past as well, wherein the malware has been given away totally free. This allows a malware creator to gain from unsuspecting cybercriminal customers who perform the heavy lifting of infecting sufferers. The truth that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel means that this backdoor channel turned into deliberately planted by way of the writer. apparently, the Prynt Stealer writer is not only charging some clients for the malware, however also receiving all the statistics this is stolen. be aware that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in flip will benefit the malware author even without direct repayment.

Prynt Stealer / WorldWind / DarkEye: more than one Faces of the same Malware
ThreatLabz has diagnosed at the least two greater Prynt Stealer versions dubbed WorldWind and DarkEye that appear like written with the aid of the same creator. All three traces are almost same with some minor variations. Prynt Stealer is the most famous brand call for promoting the malware, even as WorldWind payloads are the most generally determined in-the-wild. DarkEye isn’t offered or referred to publicly, but, it is bundled as a backdoor with a “loose” Prynt Stealer builder. figure 7 suggests a pie chart of the percentage of samples by call determined via ThreatLabz over the past yr.

Distribution of Prynt Stealer, WorldWind and DarkEye payloads in-the-wild during the last yr

discern 7: Distribution of Prynt Stealer, WorldWind and DarkEye payloads in-the-wild over the last 12 months

both Prynt and WorldWind have been sold through the identical writer on the subsequent web sites:

Marketplace internet site World Wind Stealer:

Malware name

reputation

WorldWind

Inactive

Prynt Stealer

Inactive

Screenshots of those web sites (offline on the time of booklet) are shown in figure eight.

marketplace.prynt[.]marketplace selling Prynt Stealer and save.prynt[.]market selling WorldWind facet-by using-aspect

parent 8: market.prynt[.]market selling Prynt Stealer and keep.prynt[.]market selling WorldWind side-by means of-facet

diverse websites and crook forums have offered cracked variations of Prynt Stealer and the code has been uploaded on GitHub without spending a dime underneath unique names. Prynt (with the same Telegram backdoor) has also been supplied at no cost on Telegram channels utilized by cybercriminals as shown in discern 9.

PryntStealer provided for free on a cybercriminal Telegram channel World Wind Stealer.

determine 9: Prynt Stealer presented without spending a dime on a cybercriminal Telegram channel

The disbursed builder is backdoored with DarkEye Stealer and Loda RAT. this could be a planned leak by way of the Prynt Stealer threat actor because they will benefit from the information stolen from victims.

function/Code contrast World Wind Stealer.

desk 1 shows a feature parity between Prynt, World Wind Stealer and DarkEye. normal, there are few very minor differences inclusive of the textual content inside the log report, code and settings placement. however, functionality-sensible all 3 are almost same.

Prynt

WorldWind

DarkEye

AsyncRAT

present (no longer Used)

gift (not Used)

Used

Clipper

gift (now not Used)

present (no longer Used)

Used

Keylogger

present (now not Used)

gift (now not Used)

Used

ProcessChecker Anti-analysis World Wind Stealer

Used

not gift

not gift

StomKitty Stealing

Used

Used

Used

HideConsoleWindow

Used World Wind Stealer

now not present

now not gift

increase privileges by using running as admin

Used

no longer gift

not gift

copy itself to a distinctive path

Used

now not gift

not present

Persist using task creation (e.g., “Chrome update”)

Used

now not present

now not gift

Self delete the usage of a .bat record World Wind Stealer

Used

no longer present

not present

take a look at for a web connection

Used

no longer gift

now not gift

protect the process the usage of RtlSetProcessIsCritical

Used

not gift

not gift World Wind Stealer

save you sleep by means of placing SetThreadExecutionState to 0x80000003 (ES_CONTINUOUS | ES_DISPLAY_REQUIRED | ES_SYSTEM_REQUIRED)

Used

no longer present

now not gift

desk 1. some super similarities and variations in capability between Prynt Stealer, WorldWind and DarkEye

desk 2 compares the field names between StormKitty, Prynt Stealer, WorldWind and DarkEye.

StormKitty

Prynt

WorldWind

DarkEye

😹 *StormKitty – document:* World Wind Stealer

ud83dudc63 *Prynt Stealer New results:*

ud83cudf2a *WorldWind seasoned – consequences:*

ud83dude39 *darkish-EYE – report:*

🏦 *Banking offerings*

ud83cudfe6 *Banks*

ud83cudfe6 *bank Logs*

ud83cudfe6 *Banking services*

💰 *Cryptocurrency offerings*

ud83dudcb0 *Crypto*

ud83dudcb0 *Crypto Logs* World Wind Stealer

ud83dudcb0 *Cryptocurrency services*

🍓 *Porn websites*

N/A

ud83cudf53 *Freaky Logs*

ud83cudf53 *Porn web sites*

🌐 *Browsers:*

ud83dudcb5 *Stealer statistics:*

ud83cudf10 *Logs:*

ud83cudf10 *Browsers:*

🗃 *software:*

ud83dudc63 *established software program:*

ud83duddc3 *software program:*

ud83duddc3 *software:*

🧭 *tool:* World Wind Stealer

ud83dudc63 *local device:*

ud83eudded *tool:*

ud83eudded *device:*

📄 *document Grabber:*

ud83dudc63 *files:*

ud83dudcc4 *file Grabber:*

ud83dudcc4 *document Grabber:*

ud83dudc63 Solen Useing Prynt Stealernn ud83dudc63 evolved by using @FlatLineStealerUpdatednn ud83dudc63 Or be part of The Channel @pryntdotmarket

desk 2. assessment of field names among StormKitty, Prynt Stealer, WorldWind and DarkEye

Leaked Prynt Stealer Builder World Wind Stealer:

Threatlabz has obtained a duplicate of the Prynt Stealer builder this is backdoored with DarkEye being circulated in-the-wild. figure 10 illustrates the “free” Prynt Stealer builder’s backdoor execution system.

Prynt Stealer builder backdoor execution and infection flow

parent 10: Prynt Stealer builder backdoor execution and contamination waft

The Prynt Stealer builder package deal includes the following files:

Stub.exe – Prynt stub used by the builder World Wind Stealer.

Prynt Stealer.exe – Builder executable
Prynt Stealer sub.exe – Unmanaged PE
Prynt.exe – Backdoor that downloads and executes DarkEye Stealer

Stub.exe – The Prynt Stealer Stub
this is the real Prynt Stealer stub this is used by the builder to construct payloads based on the configuration. The stub definitely enumerates the resources within the document Prynt Stealer sub.exe and plays actions based on the settings in the RCData useful resource phase, as shown in discern 11.

Celesity Binder resource enumeration method

discern eleven. Celesity Binder aid enumeration method

The Prynt Stealer sub.exe is generated the usage of Celesty Binder as indicated with the aid of the presence of the string C:UsersDarkCoderScDesktopCelesty BinderStubSTATICStub.pdb. This binary shops embedded payloads below the “RBIND” resource in plaintext. This sample changed into configured to drop and execute the payloads in the %TEMP% folder as proven in discern 12.

Celesity Binder stub settings in assets

determine 12. Celesity Binder stub settings in sources

different legitimate alternatives for the “DROPIN” price include the following:

The Prynt Stealer builder stub incorporates two payloads World Wind Stealer:

“PRYNT STEALER.EXE” – The builder binary explained under
“SVCHOST.EXE” – LodaRAT backdoor

Prynt Stealer.exe – The Builder
The Prynt Stealer builder is a modified version of the AsyncRAT builder with changed forms to trade the UI and an additional line was introduced within the fundamental technique to run the loader stated above from {Builder direction}/Stub/Prynt.exe.

Prynt.exe – The Loader
that is a very fundamental loader written in .internet, which sincerely downloads the payload from a hardcoded URL and runs the payload as shown in parent 13.

Loader obfuscated vs deobfuscated World Wind Stealer.

discern thirteen. Loader obfuscated vs deobfuscated

The downloaded payload is DarkEye Stealer, a variation of Prynt Stealer. primarily based on a hardcoded Telegram token shared with the aid of DarkEye, Prynt and WorldWind stealer, they are all in all likelihood from the equal author(s).

DarkEye Stealer
This malware is basically Prynt Stealer with some minor differences in code placement. maximum settings associated with the clipper, keylogger, and so forth are moved below the AsyncRAT constructor as proven in figure 14.

example AsyncRAT settings configured by means of DarkEye Stealer

figure 14. instance World Wind Stealersettings configured through DarkEye Stealer

the main factor differentiating DarkEye from Prynt and Worldwind is that the AsyncRAT a part of the code is weaponized via configuring the related settings. notice that there were some earlier versions of DarkEye stealer in-the-wild with out the World Wind Stealer components.

Loda RAT is an Autoit based totally RAT first documented in 2017 that has been lively considering that and has evolved over the years. this is a reasonably capable malware which can thieve a spread of records, remotely manage an infected gadget and install additional payloads.

conclusion
The loose availability of supply code for severa malware families has made improvement simpler than ever for less sophisticated threat actors. As a result, there had been many new malware households created through the years which are based on famous open source malware initiatives like NjRat, AsyncRAT and QuasarRAT. The Prynt Stealer creator went a step similarly and introduced a backdoor to scouse borrow from their clients by hardcoding a Telegram token and chat id into the malware. This tactic isn’t always new with the aid of any approach; there were numerous similar instances, which includes CobianRAT. because the announcing is going, there is no honor amongst thieves.

Cloud Sandbox Detection
Zscaler Cloud Sandbox file

determine 15: Zscaler Cloud Sandbox report

similarly to sandbox detections, Zscaler’s multilayered cloud protection platform detects indicators related to the marketing campaign at numerous stages with the following danger names:
Builder
wordlswind logo

approximately
WorldWind Stealer This stealer sends logs without delay in your telegram identity from a Bot that you Create with telegram. So no disturbing approximately,having to deal with risky panels like,different huge named stealers obtainable that,thieve less records then WorldWind

[+] device : Builder WorldWind pro

[+] You want to create a Telegram bot

[+] a way to use?

[+] when you open it .. you may construct your botnet virus . It require 2 things :

[+] BOT API TOKEN :

[+] go to @Botfather and create a telegram bot after which placed the api in the first box

[+] Chat identity : get your chat identity from @get_id_bot and paste it in the 2nd box

[+] Then visit your telegram bot which you created it and begin it -construct your virus and unfold it and you will get your result on your bot

[+] Language : C#

[+] model : v0.three

capabilities OF World Wind Stealer:

AntiAnalysis (VirtualBox, SandBox, Emulator, Debugger, VirusTotal, Any.Run)

steal device data (version, CPU, GPU, RAM, IPs, BSSID, region, display screen metrics)

Chromium based browsers (passwords, credit score cards, cookies, history, autofill, bookmarks)

Firefox based totally browsers (db documents, cookies, records, bookmarks)

internet explorer/area (passwords)

saved wifi networks & test networks around tool (SSID, BSSID)

file grabber (files, images, source codes, Databases, USB)

hit upon banking & cryptocurrency offerings in browsers

install keylogger & clipper World Wind Stealer.

Steam, Uplay, Minecraft session

computer & Webcam screenshot

ProtonVPN, OpenVPN, NordVPN

Cryptocurrency Wallets

Telegram periods

Pidgin money owed

Discord tokens

Filezilla hosts

procedure list

Directories structure

Product key

Autorun module World Wind Stealer.

World Wind Stealer