flashpoint.io
Open in
urlscan Pro
2606:4700::6812:fe2
Public Scan
URL:
https://flashpoint.io/blog/understanding-seidr-infostealer-malware/
Submission: On June 06 via api from TR — Scanned from DE
Submission: On June 06 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://flashpoint.io/
<form role="search" method="get" id="searchBox" class="searchbox" action="https://flashpoint.io/">
<input type="search" placeholder="Search for topics, resources and solutions" value="" name="s" required="">
<button type="submit" form="searchBox" class="search-submit"><img src="https://flashpoint.io/wp-content/themes/flashpoint/img/icon-search.svg" type="image/svg+xml"></button>
</form>GET https://flashpoint.io/
<form role="search" method="get" id="searchScrollBox" class="searchbox" action="https://flashpoint.io/">
<input type="search" placeholder="What do you want to search for?" value="" name="s" required="">
<button type="submit" form="searchScrollBox" class="search-submit"><img src="https://flashpoint.io/wp-content/themes/flashpoint/img/icon-search.svg" type="image/svg+xml"></button>
</form>POST //translate.googleapis.com/translate_voting?client=te
<form id="goog-gt-votingForm" action="//translate.googleapis.com/translate_voting?client=te" method="post" target="votingFrame" class="VIpgJd-yAWNEb-hvhgNd-aXYTce"><input type="text" name="sl" id="goog-gt-votingInputSrcLang"><input type="text"
name="tl" id="goog-gt-votingInputTrgLang"><input type="text" name="query" id="goog-gt-votingInputSrcText"><input type="text" name="gtrans" id="goog-gt-votingInputTrgText"><input type="text" name="vote" id="goog-gt-votingInputVote"></form>Text Content
* Platform
Products
* Flashpoint Ignite
Cyber Threat Intelligence
Vulnerability Management (VulnDB)
Physical Security Intelligence
National Security Intelligence
Managed Attribution
Services
* Managed Intelligence
Curated Alerting
Proactive Acquisitions
Tailored Reporting Service
Request for Information (RFI)
* Professional Services
Threat Response & Readiness
Threat Actor Engagment & Procurement
Extortion Monitoring
* Solutions
By Threats and Risks
* Fraud
* Ransomware
* Account Takeover
* Brand and Reputation
* Vulnerability
* Physical Security
* National Security
By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceuticals
* Technology
* Public Sector & National Security
* Resources
Case study
How Flashpoint Helped CSI (NY) Stop a Potential Synagogue Attack
* Threat Intel Blog
* Events & Webinars
* Resource Library
* Cybersecurity Glossary
* Partners
* Why Flashpoint
* Company
* About Us
* Careers
* News
* Contact Us
* Get a Demo
* Log in
* ▼
*
Platform
* Flashpoint Ignite
* Cyber Threat Intelligence
* Vulnerability Management (VulnDB)
* Physical Security Intelligence
* National Security Intelligence
* Managed Attribution
* Services
* Ransomware Attack Response and Readiness
* Professional Services
* Tailored Reporting
* Curated Alerting
* Managed Intelligence
* Request for Information
Solutions
* By Threats and Risks
* Financial Fraud
* Ransomware and Data Extortion
* Account Takeover
* Brand Reputation
* Vulnerability
* Physical Security
* National Security
* By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceutical
* Technology
* Public Sector & National Security
Why Flashpoint? Resource Library
* Threat Intelligence Blog
* Events & Webinars
* Resource Library
* Cybersecurity & Intelligence 101
* Partner With Flashpoint
Company
* About Us
* Flashpoint Careers
* Flashpoint News
* Contact Us
* Platform
Products
* Flashpoint Ignite
Cyber Threat Intelligence
Vulnerability Management (VulnDB)
Physical Security Intelligence
National Security Intelligence
Managed Attribution
Services
* Managed Intelligence
Curated Alerting
Proactive Acquisitions
Tailored Reporting Service
Request for Information (RFI)
* Professional Services
Threat Response & Readiness
Threat Actor Engagment & Procurement
Extortion Monitoring
* Solutions
By Threats and Risks
* Fraud
* Ransomware
* Account Takeover
* Brand and Reputation
* Vulnerability
* Physical Security
* National Security
By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceuticals
* Technology
* Public Sector & National Security
* Resources
Case study
How Flashpoint Helped CSI (NY) Stop a Potential Synagogue Attack
* Threat Intel Blog
* Events & Webinars
* Resource Library
* Cybersecurity Glossary
* Partners
* Why Flashpoint
* Company
* About Us
* Careers
* News
* Contact Us
* Get a Demo
* Log in
*
*
Blogs
BLOG
UNDERSTANDING SEIDR INFOSTEALER MALWARE
Flashpoint has observed a notable surge in advertised sales of infostealers
throughout 2024—among them is Seidr malware. In this blog, we explore Seidr in
detail and shed light on how it works.
SHARE THIS:
Flashpoint Intel Team
June 5, 2024
Table Of Contents
Table of Contents
Key Takeaways
What is Seidr infostealer malware?
Seidr Tactics, Techniques, and Procedures (TTPs)
Stay ahead using Flashpoint
Information-stealing malware, or infostealers, have emerged as one of the most
pervasive and dangerous types of malware, capturing the attention of both
security teams and threat actors alike. Throughout 2024, Flashpoint has observed
significant growth in the sale of infostealers, with the number being offered in
illicit marketplaces skyrocketing over the last seven years—among them is Seidr
malware.
KEY TAKE AWAYS
– Seidr is an information-stealing malware that utilizes Telegram for
exfiltration and command and control (C2).
– The stealer implements rotating XOR encryption to obfuscate sensitive data,
including tokens and channel information.
– Seidr targets cryptocurrency desktop wallets and browser extensions.
– Defensive evasion is implemented to blacklist specific processes related to
security analysis and debugging to evade detection and analysis.
WHAT IS SEIDR INFOSTEALER MALWARE?
Seidr malware is an emerging stealer that was first observed at the end of 2023,
collecting comprehensive system information, including system name, username, OS
version, screen resolution, and hardware identification. Seidr can deploy a
two-stage module that simultaneously runs a crypto clipper and a keylogger,
making it a potent threat. The stealer is written in the C++ programming
language and leverages encryption techniques to avoid detection, such as
blacklisting specific processes related to security analysis and debugging.
At this time, Seidr is being sold on illicit marketplaces and the developer
provides a loader and dropper that can be used with Telegram bots. A new update
for the strain, called GARMR, was recently offered for sale, with a lifetime
plan for the stealer being offered for $2,000. GARMR enables Seidr to regenerate
itself every two hours, is smaller than 500 KB, and is capable of downloading
and running binaries without touching the disk.
Seidr advertisement found in an illicit marketplace (Source: Flashpoint Ignite)
GARMR update for Seidr being advertised on an illicit forum (Source: Flashpoint
Ignite)
SEIDR TACTICS, TECHNIQUES, AND PROCEDURES (TTPS)
Flashpoint analysts analyzed the sophisticated arsenal employed by Seidr. The
following outlines some of the techniques, tactics and procedures that Seridr
leverages:
TacticTechnique IDNamePersistenceT1547Boot or Logon Autostart ExecutionPrivilege
EscalationT1547Boot or Logon Autostart ExecutionDefense
EvasionT1497Virtualization/Sandbox EvasionCredential AccessT1056Input Capture:
KeyloggingDiscoveryT1012Query RegistryDiscoveryT1057Process
DiscoveryDiscoveryT1082System Information DiscoveryDiscoveryT1614System Location
DiscoveryCollectionT1005Data from Local SystemCollectionT1560Archive Collected
DataCollectionT1056Input Capture: KeyloggingExfiltrationT1567Exfiltration Over
Web Service
T1547 – PERSISTENCE – BOOT OR LOGON AUTOSTART EXECUTION
Seidr sets a persistence mechanism by creating a directory, retrieving a known
folder path, creating a registry key, and setting the value SEIDR in the
registry. This functionality allows persistence to take place on the next
reboot.
Persistence is maintained through the registry key. (Source: Flashpoint)
T1547 – DEFENSIVE EVASION – VIRTUALIZATION/SANDBOX EVASION
Flashpoint analysts reverse-engineered Seidr to reveal the following processes
being used or monitored to attempt to stop debugging:
Process NameDefinitionapatedns.exeApatar DNS: Manipulates DNS
requestscmd.exeCommand Prompt: Windows command-line
interpretercffexplorer.exeCFF Explorer: Explores PE filescuckoo.exeCuckoo
Sandbox: Automated malware analysis systemdumpcap.exeDumpcap: Network capture
tool for Wiresharkfiddler.exeFiddler: Web debugging proxyghidra.exeGhidra: Suite
for software reverse engineeringimmunitydebugger.exeImmunity Debugger: Debugger
for malware analysismsconfig.exeSystem Configuration: Configures Windows
settingsprocexp.exeProcess Explorer: Manages and diagnoses process
issuesprocexp64.exeProcess Explorer (64-bit): Manages and diagnoses
processesprocesshacker.exeProcess Hacker: Views and manipulates
processespython.exePython executable: Executes Python scriptspython3.exePython 3
executable: Executes Python 3 scriptspythonw.exePython executable (Windows):
Executes Python scriptsr2.exeRadare2 CLI: Interface for reverse
engineeringradare2.exeRadare2: Framework for reverse
engineeringregedit.exeRegistry Editor: Edits Windows registryregshot.exeRegshot:
Takes snapshots of registry and file systemsysmon.exeSysinternals Sysmon:
Monitors system activityTaskmgr.exeWindows Task Manager: Manages tasks in
Windowstcpview.exeTCPView: Monitors network connectionswireshark.exeWireshark:
Analyzes network protocolsx32dbg.exe32-bit debugger: Debugs 32-bit
applicationsx64dbg.exe64-bit debugger: Debugs 64-bit applications
Seidr also has the capability to check for virtual machines. If the malware
detects that it has been deployed on a virtual machine, it will automatically
end its processes to avoid static analysis.
Seidr also performs an XOR rotation against an array of values that are in
little endian. The encryption is used to obfuscate the Telegram token used to
send exfiltrated data.
Pseudocode for the rotating XOR encryption routine. (Source: Flashpoint)
T1005 – COLLECTION – DATA FROM LOCAL SYSTEM
Seidr checks for open processes and specific browsers before executing
collections on the browsers.
Pseudocode showcases the routine for detecting virtual machines and checking for
open processes. (Source: Flashpoint)
T1560 – COLLECTION – ARCHIVE COLLECTED DATA
System collections are compiled to determine if a system is a potential analysis
machine, a virtual machine, or a sandbox machine. These are also packaged in a
zip archive with the final information sent to the threat actor.
Pseudocode showcases system information-gathering from Seidr. (Source:
Flashpoint)
T1056 – COLLECTION – INPUT CAPTURE: KEYLOGGING
Clipper functionality utilizes regular expressions to determine the type of
wallet, and the stealer replaces the copied wallet addresses with the
attacker’s. The following types of cryptocurrency are targeted by Seidr:
* Bitcoin
* Etherium
* Litecoin
* Monero
* Ripple
T1560 – COLLECTION – ARCHIVE COLLECTED DATA
Seidr collects desktop wallets that the attacker can leverage to access them.
The following desktop wallets are targeted by Seidr:
* Monero
* MultiDoge
* Electrum
* Electrum Cash
However, Seidr specifically scans the system for the following crypto wallets
and chrome extension IDs:
* BNB Chain Wallet
* Coinbase
* Coin98 Wallet
* Electrum Bitcoin Wallet
* Fers Wallet
* Ferz Wallet
* Jaxx Liberty
* KardiaChain Wallet
* Math Wallet
* MetaMask
* Nifty Wallet
* Ronin Wallet
* Saturn Wallet
* Terra Wallet
T1567 – EXFILTRATION – EXFILTRATION OVER WEB SERVICE
Telegram is leveraged to send the archived log file to the attacker’s Telegram
channel:
IDA pseudocode contains Telegram API parameters. (Source: Flashpoint)
Flashpoint analysts collected the final zip archive containing the data
collected by the stealer, including system information, wallets, browser
passwords, and keylogging:
LOG file generated from the malware collected from the analysis. (Source:
Flashpoint)
STAY AHEAD USING FLASHPOINT
Infostealers are easily accessible, easy to use, and inexpensive for threat
actors to purchase. Consequently, there is high demand for stealers across
illicit communities. In addition to the many existing and emerging families of
infostealers, malicious actors are continuing to leverage Seidr. These attackers
are actively working to improve and develop multiple variants to increase its
ability to bypass defensive measures. Therefore, understanding what Seidr
infostealer malware is and how it works is essential for strengthening
cybersecurity defenses.
Flashpoint’s threat intelligence seamlessly integrates automated data collection
with human analyst expertise, and delivers a precise understanding of the
fast-evolving threat landscape. By leveraging comprehensive threat intelligence,
organizations can mitigate the potential risks posed by infostealers. Sign up
for a demo today.
BEGIN YOUR FREE TRIAL TODAY.
Get a Free Trial
Contact Sales
6218 Georgia Avenue NW
Suite #1
PMB 3032
Washington, DC, 20011
United States
+1 (888) 468-3598
Contact us
*
*
*
* Platform
* Products
* Flashpoint Ignite
* Cyber Threat Intelligence
* Vulnerability Management (VulnDB)
* Physical Security Intelligence
* National Security Intelligence
* Managed Attribution
* Services
* Managed Intelligence
* Curated Alerting
* Proactive Acquisitions
* Tailored Reporting Service
* Request for Information (RFI)
* Professional Services
* Threat Response and Analysis
* Threat Actor Engagement & Procurement
* Extortion Monitoring
* Solutions
* By Threats & Risks
* Ransomware
* Financial Fraud
* Account Takeover
* Brand Risks
* Vulnerability Risks
* Physical Security Threats
* Geopolitical Risk
* By Industry
* Financial Services
* Retail
* Healthcare & Pharmaceutical
* Technology
* Public Sector & National Security
* Menu Item
* Why Flashpoint
* Resources
* Threat Intelligence Blog
* Events & Webinars
* Resource Library
* Cybersecurity Glossary
* Partners
* Company
* About Us
* Careers
* News
* Contact Us
© 2024 Flashpoint. All rights reserved.
* Privacy Policy
* Terms of Service
* Cookie Policy
* CCPA
* Legal
Originaltext
Diese Übersetzung bewerten
Mit deinem Feedback können wir Google Übersetzer weiter verbessern
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Cookie Policy
Accept All Cookies
Cookies Settings
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices