THREAT: Russian Fox Stealer
The Russian telegram skid army that I have been following for months is selling a command and control panel. It is different from Agent Tesla or Pony Forx themed malware.
Where this is sold and where and who brought in this article you will get the answer to all of them. I didn't have time to review the Binary file, but someone who can help with the research can reach me at my email address.
The panel I'm reviewing is Fox Stealer 3, the latest version.
(Screenshot of Orange Version Panel Version 3)
After finding the panel, I notice that there are two more versions of the panel already removed.
Image from the Settings screen.
Tools of the orange version (Version 3):
- WebCam capture
- Max file size
- NoSNG
After some OSINT version 3, I have access to source code and binary files.
Blue version 1 [panel_v0_1.zip] 3.82 MB, orange version 2 [panelv0_2.zip] 3.86 MB and orange version 3 [panel_3.zip] 3.9 MB
Communication channel:
Sales are made through a secret group on the telegram. Active members of the group fell from 73 to 58 people.
Instead of typical virus generation software for this Panel, they have access to a special telegram bot where they can create new customer-specific structures and retrieve logs from victims.
And finally there is a third channel created by actor @foo0x that regulary post updates about the product. This is all the telegra.ph links posted in this channel:
Typical actions to be taken when the target is reached is the following: Cookies, passwords Screen image, Webcam image, information about the PC, Desktop files, Discord and Steam access information. After performing these operations, the file is zipped using the PclZip library.
Here is an image from the files archived from the victim.
It is recommended that the customers they sell to receive the "BOCTOK-1" package from the hosting company as the hosting service. "https://sprinthost.ru/"
Telegram Manager FoxStealer manufacturer, the person who encodes "Fox 🦊" Username:"@isaqq "
Intelligence and IOC:
File Name: Panel_v0_1.zip
MD5: ebcf2dcd7a462f46b984b7d79407838f
SHA-1: e4c3fe115566edd81de1f2cc1cdfa11ac554a0e8
Size: 3.82 MB
File Type:ZIP
File Name: Panel_v0_2.zip
MD5: de8c30181fd26d0f1f9a8f803244b2dd
SHA-1: aa6690f954732a650c81c29b0cec9d5ff30ff46a
Size: 3.86 MB
File Type: ZIP
File Name: Panel_3.zip
MD5: ed109b63d27caa3410a0ecd7f6678539
SHA-1: 355fcb1407ed6a935a5fc3b090804e2c9f174e9d
SHA-256: b72c8b82230a592bc61fe6637bd0defb5a8b862ffe1df75bcd9ed7695a709c00
Size: 3.91 MB
File Type:ZIP
File Name: post.php
MD5 5d4caac8109532d52d20314ce636658a
SHA-1 df3e3d040e78bc47ad8487d9fee9376203606e18
SHA-256 442dd68354496ce2220907e684ee7a018c9d48fe27c703ddc3d3207973c59129
Size: 3.53 KB
File Type:PHP
