Beware: Fake Proton VPN Sites and Gaming Mods Spreading NWHStealer Malware
A newly identified information-stealing malware, NWHStealer, is infiltrating Windows systems through a deceptive campaign that leverages counterfeit VPN websites, gaming modifications, and hardware utility tools. Unlike traditional phishing methods, this campaign embeds malware within files that users actively seek and download, significantly complicating detection efforts.
Distribution Tactics
The perpetrators employ a multifaceted distribution strategy, disseminating NWHStealer via:
– Impersonated Websites: Fake sites mimicking reputable services.
– Code Hosting Platforms: Malicious repositories on GitHub and GitLab.
– File-Sharing Services: Compromised files on MediaFire and SourceForge.
– Multimedia Content: YouTube videos related to gaming and security, containing harmful links.
The malware masquerades as legitimate software, including VPN installers, hardware diagnostic tools like OhmGraphite, Pachtop, and Sidebar Diagnostics, as well as popular gaming cheats and mods such as Xeno. This extensive reach across trusted platforms heightens the campaign’s threat level.
Technical Analysis
Malwarebytes analysts have identified multiple active campaigns distributing NWHStealer. The malware can be loaded through self-injection or by embedding itself into legitimate Windows processes like RegAsm, Microsoft’s Assembly Registration Tool. Initial loaders often include MSI packages and Node.js scripts, which deliver the primary payload.
Once executed, NWHStealer collects browser data, saved passwords, and cryptocurrency wallet information. It targets over 25 folders and registry keys associated with cryptocurrency wallets and extracts credentials from browsers such as Edge, Chrome, Opera, Brave, Chromium, and Firefox. The stolen data is encrypted using AES-CBC before transmission to the attacker’s command-and-control server. If the primary server becomes unavailable, the malware retrieves a new C2 domain via a Telegram-based dead drop, ensuring persistent communication.
Unusual Distribution Methods
An unconventional aspect of this campaign involves using a free web hosting provider, onworks[.]net, ranked within the top 100,000 websites globally. Malicious ZIP archives, such as HardwareVisualizer_1.3.1.zip and Sidebar Diagnostics-3.6.5.zip, are hosted in its download section. These files appear legitimate but contain embedded malicious code that initiates the infection upon execution.
Infection Mechanism
The infection process is meticulously designed to evade detection:
1. Loader Execution: The user runs a seemingly legitimate executable, like HardwareVisualizer.exe.
2. Environment Check: The loader scans for analysis tools and terminates if any are found.
3. String Decryption: It uses a custom function to decrypt strings.
4. API Resolution: The loader resolves Windows API functions via LoadLibraryA and GetProcAddress.
5. Payload Decryption and Execution: Utilizing AES-CBC through BCrypt APIs, it decrypts and loads the next-stage payload.
The inclusion of junk code further complicates analysis and detection.
Protective Measures
To safeguard against NWHStealer and similar threats:
– Verify Sources: Download software exclusively from official websites or trusted platforms.
– Exercise Caution: Be wary of unsolicited links or downloads, even from seemingly reputable sources.
– Maintain Security Software: Keep antivirus and anti-malware programs updated.
– Regular Updates: Ensure your operating system and applications are current.
– Monitor Accounts: Regularly check financial and online accounts for unauthorized activity.
By adopting these practices, users can significantly reduce the risk of falling victim to such sophisticated malware campaigns.
