Telling facts is fundamental WorldWind Stealer Pro to cybercriminals nowadays to scope and gain get right of entry to systems, profile agencies, and execute larger payday schemes like ransomware.

Information stealer malware families such as WorldWind Stealer Pro:

Configured via a builder to facilitate the method for much less state-of-the-art dangerous actors. but, Zscaler ThreatLabz researchers have exposed the WorldWind Stealer Pro builder, also attributed with WorldWind, and DarkEye, which has a secret backdoor within the code that ends up in each derivative reproduction and version of these malware households. The backdoor sends copies of victims’ exfiltrated records accumulated via other risk actors to a non-public Telegram chat monitored by means of the builder’s builders.

While this untrustworthy behavior is not anything WorldWind Stealer Pro:

New in the global of cybercrime, the sufferers’ statistics emerge as in the hands of a couple of threat actors, increasing the risks of 1 or greater huge-scale assaults to follow.

WorldWind Stealer Pro is a statistics stealer that has the ability to capture credentials that are stored on a compromised machine which includes web browsers, VPN/FTP clients, as well as messaging and gaming applications.

The WorldWind Stealer Pro developer based totally the malware code on open source tasks inclusive of AsyncRAT and StormKitty
WorldWind Stealer Pro makes use of Telegram to exfiltrate records this is stolen from victims.
The WorldWind Stealer Pro  malware writer added a backdoor Telegram channel to accumulate the records stolen by different criminals
The informational stealer malware households known as DarkEye and WorldWind are nearly identical to WorldWind Stealer Pro
WorldWind Stealer Pro is a noticeably new information stealer malware family that is written in .net. The malware has previously been analyzed in intensity along with the data harvesting capabilities and the targeted programs. Zscaler ThreatLabz has considered uncovering additional details about the malware including the codebase being derived from as a minimum other open supply malware households: AsyncRAT and StormKitty. This blog will awareness of these shared codebases, the changes brought with the aid of the WorldWind Stealer Pro writer (consisting of a backdoor), and the very close dating with WorldWind and DarkEye.

 

WorldWind Stealer Pro  is not simply stimulated from open-source malware families, however, shares code that looks to have been directly replica and pasted from those repositories. Many components of the Prynt Stealer code which have been borrowed from other malware households aren’t used, however, are nonetheless present in the binary as useless unreachable code. The Prynt Stealer code is generally derived from AsyncRAT (a versatile RAT) and StormKitty (a records stealer). The AsyncRAT code is used as the main module with a modified entry factor that calls the StormKitty stealer technique. Prynt Stealer executables have configured the usage of a builder that has no options to regulate the embedded AsyncRAT additives, that are pre-configured frequently just to run the StormKitty stealer module. most of AsyncRAT’s capability in Prynt Stealer is disabled and the command-and-manipulate (C&C) URLs are configured to 127.zero.0.1. while the AsyncRAT’s network thing of Prynt Stealer is disabled, the malware consists of the subsequently embedded certificates shown beneath:

 

notice that the not-unusual call for this certificate is WorldWind Stealer, which is also sold via the WorldWind Stealer Pro malware author.

 

The WorldWind Stealer Pro writer added two new fields (highlighted in determine 1) to the AsyncRAT configuration codebase for facts exfiltration via Telegram.

WorldWind Stealer Pro configuration vs AsyncRAT configuration:

parent 1: side-by way of-aspect contrast of a WorldWind Stealer Pro configuration (left) with an original AsyncRAT configuration (right)

the primary code chargeable for sending records to Telegram is copied from StormKitty with a few minor modifications in the text as shown in determine 2.

aspect-by-means-of-facet comparison of WorldWind Stealer Pro’s UploadFile with StormKitty’s SendSystemInfo feature

discern 2: side-through-facet contrast of WorldWind Stealer Pro UploadFile with StormKitty’s SendSystemInfo feature

the main distinction is the sphere names and order have been modified, and a discipline related to detecting porn websites is lacking from Prynt.

 

A detailed take look at WorldWind Stealer Pro modifications:

Prynt Stealer does not use the anti-evaluation code from both AsyncRAT or StormKitty with one exception: the malware creates a thread that invokes the feature named processChecker (shown in determine 3) in AsyncRAT’s static constructor. The thread execution is started on the give up of the principle function after stolen logs are despatched.

WorldWind Stealer Pro manner checker thread

determine three: Prynt Stealer technique checker thread’s code

WorldWind Stealer Pro uses this thread to constantly display the victim’s manner list. If any of the subsequent procedures are detected, the malware will block the Telegram C&C conversation channels:

WorldWind Stealer Pro creates a thread as a way to ballot for a file to download the usage of the Telegram getUpdates API as proven in parent four. Of word, this download command best saves the report on the target gadget and does now not take any in additional movements that are probably predicted like executing a 2nd-level payload or updating the malware.

 

WorldWind Stealer Pro statistics from a big range of applications, and the information is despatched to a Telegram channel this is configured using the builder proven in figure 5.

 

 

The WorldWind Stealer Pro logs are despatched to the operator’s Telegram. however, there may be a trap: a duplicate of the log files is likewise sent to a Telegram chat probably embedded through the Prynt Stealer creator as shown in Figure 6.

WorldWind Stealer Pro backdoor sending log files to two special Telegram chats backdoor sending log files to 2 specific Telegram chats

ThreatLabz has determined comparable processes employed by means of malware authors inside the past as nicely, in which the malware has been given away without spending a dime. This permits a malware writer to gain from unsuspecting cybercriminal customers who carry out the heavy lifting of infecting victims. The reality that every one WorldWind Stealer Pro samples encountered via ThreatLabz had the equally embedded telegram channel implies that this backdoor channel became deliberately planted with the aid of the author. interestingly, the Prynt Stealer author isn’t the best at charging a few customers for the malware but also receives all the records that is stolen. notice that there are cracked/leaked copies of Prynt Stealer with an equal backdoor, which in turn will benefit the malware creator even without direct reimbursement.

 

ThreatLabz has identified at least two extra WorldWind Stealer Pro variants dubbed WorldWind and DarkEye that appear like written by means of the equal creator. All three traces are nearly equal with some minor differences. Prynt Stealer is the maximum famous logo call for promoting the malware, whilst WorldWind payloads are the most commonly determined in the wild. DarkEye isn’t always sold or cited publicly, however, it’s miles bundled as a backdoor with an “unfastened” Prynt Stealer builder. figure 7 indicates a pie chart of the share of samples through names discovered via ThreatLabz during the last year.

Distribution of WorldWind Stealer Pro, WorldWind, and DarkEye payloads in-the-wild over the last yr

determine 7: Distribution of WorldWind Stealer Pro WorldWind and DarkEye payloads in-the-wild over the past 12 months

each Prynt and WorldWind were sold through the identical creator on the following web sites:

 

market.prynt[.]market promoting WorldWind Stealer Pro and save. prynt[.]marketplace selling WorldWind facet with the aid of-side

parent eight: marketplace. prynt[.]market selling WorldWind Stealer Pro and keep. prynt[.]market selling WorldWind side-by using-aspect

numerous websites and criminal boards have offered cracked versions of WorldWind Stealer Pro and the code has been uploaded on GitHub free of charge below extraordinary names. Prynt (with the same Telegram backdoor) has additionally been presented free of charge on Telegram channels utilized by cybercriminals as shown in discern nine.

PryntStealer presented at no cost on a cybercriminal Telegram channel

WorldWind Stealer Pro provided without cost on a cybercriminal Telegram channel

The allotted builder is backdoored with DarkEye Stealer and Loda RAT. This may be a planned leak by way of the WorldWind Stealer Prochance actor for the reason that they’ll benefit from the information stolen from sufferers.

 

function/Code contrast
table 1 suggests a feature parity among Prynt, WorldWind, and DarkEye. ordinary, there are a few very minor variations which include the textual content within the log record, code and settings placement. but, functionality-sensible all 3 are nearly equal.

 

ud83dudc63 Solen Useing Prynt Stealernn ud83dudc63 developed by using @FlatLineStealerUpdatednn ud83dudc63 Or be a part of The Channel @pryntdotmarket

Telegram Channel: @x0splinter

N/A

table 2. evaluation of area names among StormKitty, Prynt Stealer, WorldWind and DarkEye

 

Leaked Prynt Stealer Builder
Threatlabz has obtained a copy of the Prynt Stealer builder this is backdoored with DarkEye being circulated in-the-wild. determine 10 illustrates the “free” Prynt Stealer builder’s backdoor execution manner.

Prynt Stealer builder backdoor execution and contamination float

figure 10: Prynt Stealer builder backdoor execution and contamination waft

The Prynt Stealer builder package consists of the following documents:

Stub.exe – Prynt stub used by the builder
Prynt Stealer.exe – Builder executable
Prynt Stealer sub.exe – Unmanaged PE
Prynt.exe – Backdoor that downloads and executes DarkEye Stealer

Stub.exe – The Prynt Stealer Stub
this is the real Prynt Stealer stub this is used by the builder to build payloads based totally on the configuration. The stub certainly enumerates the assets within the report Prynt Stealer sub.exe and plays movements based on the settings within the RCData useful resource phase, as proven in parent 11.

Celebrity Binder resource enumeration method

parent 11. Celebrity Binder resource enumeration technique

The Prynt Stealer sub.exe has generated the usage of Celesty Binder as indicated by way of the presence of the string C: UsersDarkCoderScDesktopCelesty BinderStubSTATICStub.pdb. This binary store’s embedded payloads below the “RBIND” aid in plaintext. This pattern changed into configured to drop and execute the payloads in the %TEMP% folder as proven in parent 12.

Celebrity Binder stub settings in sources

discern 12. Celebrity Binder stub settings in sources

different legitimate options for the “DROPIN” value encompass the following:

The Prynt Stealer builder stub consists of two payloads:

“PRYNT STEALER.EXE” – The builder binary defined under
“SVCHOST.EXE” – LodaRAT backdoor

Prynt Stealer.exe – The Builder
The Prynt Stealer builder is a modified version of the AsyncRAT builder with changed bureaucracy to trade the UI and an extra line turned into added within the primary approach to run the loader mentioned above from {Builder direction}/Stub/Prynt.exe.

 

Prynt.exe – The Loader
that is a very basic loader written in .net, which definitely downloads the payload from a hardcoded URL and runs the payload as proven in figure thirteen.

Loader obfuscated vs deobfuscated WorldWind Stealer Pro:

 

The downloaded payload is DarkEye Stealer, a variant of WorldWind Stealer Probased on a hardcoded Telegram token shared by means of DarkEye, Prynt and WorldWind stealer, they are all probable from the identical writer(s).

 

DarkEye Stealer
This malware is largely WorldWind Stealer Pro with a few minor variations in code placement. most settings associated with the clipper, keylogger, and many others are moved underneath the AsyncRAT constructor as shown in Figure 14.

instance AsyncRAT settings configured by DarkEye Stealer

determine 14. instance AsyncRAT settings configured by means of DarkEye Stealer

the principle component differentiating DarkEye from Prynt and Worldwind is that the AsyncRAT a part of the code is weaponized by configuring the related settings. observe that there have been a few earlier variations of DarkEye stealer in the wild with out the AsyncRAT additives. WorldWind Stealer Pro

 

Loda RAT is an Autoit-based RAT first documented in 2017 that has been lively seeing that and has developed over the years. this is a reasonably successful malware that can steal a spread of records, remotely manipulate an inflamed system and install extra payloads.

 

end
The unfastened availability of source code for numerous malware families has made improvement simpler than ever for much less sophisticated risk actors. As a result, there had been many new malware households created over time which are based totally on popular open-source malware projects like NjRat, AsyncRAT, and QuasarRAT. The WorldWind Stealer Procreator went a step in addition and delivered a backdoor to steal from their clients by way of hardcoding a Telegram token and chat identification into the malware. This tactic isn’t always new through any approach; there were numerous similar times, inclusive of CobianRAT. because the saying is going, there’s no honor amongst WorldWind Stealer Pro.

 

Cloud Sandbox Detection
Zscaler Cloud Sandbox document

parent 15: Zscaler Cloud Sandbox file

Similar to sandbox detections, Zscaler’s multilayered cloud protection platform detects signs related to the campaign at various degrees with the following risk names:

Win32.Backdoor.PryntStealer

Win32.Backdoor.WorldWind

Win32.Backdoor.DarkEyeStealer

Win32.Backdoor.LodaRat WorldWind Stealer Pro

About
WorldWind Stealer This stealer sends logs directly to your telegram id from a Bot that YOU Create with telegram. So no worrying about,having to deal with unstable panels like,other big named stealers out there that,steal less information then WorldWind

WorldWind Stealer is a type of malware that has been causing significant problems for users around the world. This malware is particularly dangerous as it is designed to steal sensitive information from a victim’s computer and transmit it to a remote server controlled by the attacker. In this article, we will take a closer look at the WorldWind Stealer and discuss the steps you can take to protect yourself from this dangerous malware.

What is WorldWind Stealer?

WorldWind Stealer is a type of malware that is designed to steal sensitive information from a victim’s computer. This information can include login credentials, credit card numbers, and other personal information that can be used for identity theft and fraud. The malware is typically spread through email attachments, phishing scams, and other social engineering tactics.

Once installed on a victim’s computer, the malware will begin to search for sensitive information stored on the device. This information is then encrypted and transmitted to a remote server controlled by the attacker. The attacker can then use this information for various purposes, such as identity theft or financial fraud.

➖ ➖INFORMATION➖➖

[+] Tool : Builder WorldWind Pro

[+] You need to create a Telegram bot

[+] How to use?

[+] When you open it .. you will build your botnet virus . It require 2 things :

[+] BOT API TOKEN :

[+] Go to @Botfather and create a telegram bot and then put the api in the first box

[+] Chat ID : get your chat id from @get_id_bot and paste it in the 2nd box

[+] Then go to your telegram bot that you created it and start it -build your virus and spread it and you will get your result on your bot

[+] Language : C#

[+] Version : v0.3

Functions
AntiAnalysis (VirtualBox, SandBox, Emulator, Debugger, VirusTotal, Any.Run)

Steal system info (Version, CPU, GPU, RAM, IPs, BSSID, Location, Screen metrics)

Chromium based browsers (passwords, credit cards, cookies, history, autofill, bookmarks)

Firefox based browsers (db files, cookies, history, bookmarks)

Internet explorer/Edge (passwords)

Saved wifi networks & scan networks around device (SSID, BSSID)

File grabber (Documents, Images, Source codes, Databases, USB)

Detect banking & cryptocurrency services in browsers

Install keylogger & clipper

Steam, Uplay, Minecraft session

Desktop & Webcam screenshot

ProtonVPN, OpenVPN, NordVPN

Cryptocurrency Wallets

Telegram sessions

Pidgin accounts

Discord tokens

Filezilla hosts

Process list

Directories structure

Product key

Autorun module

Sources