Openhunting Threat Library

OLDBAIT

OLDBAIT, Sasfis
(Type: Credential stealer)

(FireEye) OLDBAIT is a credential harvester that installs itself in %ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe. There is a missing space in the MediaPlayer directory and the filename is missing the ‘o’ character. Both the internal strings and logic are obfuscated and are unpacked at startup. Credentials for the following applications are collected: • Internet Explorer • Mozilla Firefox • Eudora • The Bat! (an email client made by a Moldovan company) • Becky! (an email client made by a Japanese company) Both email and HTTP can be used to send out the collected credentials. Note: In some places it is mistakenly named {{Sasfis}}, which however seems to be a completely different and unrelated malware family.

[News Analysis] Trends:

Total Trend: 10

Trend Per Year
4
2010
1
2011
2
2012
1
2014
1
2017
1
2018


Trend Per Month
1
Jan 2010
1
Feb 2010
2
May 2010
1
Apr 2011
1
Oct 2012
1
Nov 2012
1
2014
1
Jan 2017
1
Aug 2018



[News Analysis] News Mention Another Threat Name:

4 - OLDBAIT4 - Coreshell4 - Sedreco4 - Seduploader4 - X-Agent1 - Asprox1 - Sasfis


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
0/36
persistence
0/113
privilege escalation
0/96
defense evasion
2/184
credential access
2/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
2/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1036.005
Masquerading : Match Legitimate Name Or Location
T1027
Obfuscated Files Or Information
T1555
Credentials From Password Stores
T1555.003
Credentials From Password Stores : Credentials From Web Browsers
T1071.001
Application Layer Protocol : Web Protocols
T1071.003
Application Layer Protocol : Mail Protocols


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
login.qwwxthn.xyz2022-07-14
login.seafoodsconnection.com2022-07-14
login.sunmarks.co.uk2022-07-14
login.tfosorcimonline.xyz2022-07-14
login.whitmanlab.uk2022-07-14
login.yi087011.xyz2022-07-14
login.mcrsfts-update.cloud2022-07-14
login.mcrsfts-update.digital2022-07-14
login.mcrsfts-virtualofficevm.com2022-07-14
login.mcrsftsvm-app.digital2022-07-14
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Remember Fancy Bear?

2018-08-26 by SecJuice from SecJuice

APT28: At The Center Of The Storm

2017-01-10 by FireEye iSIGHT Intelligence from FireEye

APT28: A Windows into Russia's Cyber Espionage Operations?

2014 by FireEye from FireEye

Tracking the 2012 Sasfis campaign

2012-11-01 by Micky Pun from Virus Bulletin

SASFIS

2012-10-09 by Dianne Lagrimas from Trend Micro

Troj/Sasfis-O

2011-04-16 by Sophos from Sophos

SASFIS Malware Uses a New Trick

2010-05-31 by Joseph Cepe from Trend Micro

Sasfis Propagation

2010-05-27 by Kevin Liston from SANS ISC InfoSec Forums

Trojan.Sasfis

2010-02-02 by Éamonn Young from Symantec

SASFIS Fizzles in the Background

2010-01-21 by Loucif Kharouni from Trend Micro

Basic Information (Credit @etda.or.th)

Tool: OLDBAIT

Names: OLDBAIT, Sasfis

Description: (FireEye) OLDBAIT is a credential harvester that installs itself in %ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe. There is a missing space in the MediaPlayer directory and the filename is missing the ‘o’ character. Both the internal strings and logic are obfuscated and are unpacked at startup. Credentials for the following applications are collected: • Internet Explorer • Mozilla Firefox • Eudora • The Bat! (an email client made by a Moldovan company) • Becky! (an email client made by a Japanese company) Both email and HTTP can be used to send out the collected credentials. Note: In some places it is mistakenly named {{Sasfis}}, which however seems to be a completely different and unrelated malware family.

Category: Malware

Type: Credential stealer

Information: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

Information: https://www.secjuice.com/fancy-bear-review/

Mitre-attack: https://attack.mitre.org/software/S0138/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait

Last-card-change: 2022-12-29

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

DOMAIN
  • login.qwwxthn.xyz
  • login.seafoodsconnection.com
  • login.sunmarks.co.uk
  • login.tfosorcimonline.xyz
  • login.whitmanlab.uk
  • login.yi087011.xyz
  • login.mcrsfts-update.cloud
  • login.mcrsfts-update.digital
  • login.mcrsfts-virtualofficevm.com
  • login.mcrsftsvm-app.digital
  • login.mcrsftsvm-app.live
  • login.mcrsfts-voiceapp.digital
  • login.mcrsftsvoice-mail.cloud
  • login.microsecurity.us
  • login.microstoff.xyz
  • login.mljs365.xyz
  • login.mwhhncndn.xyz
  • login.mycrsfts-passwd.live
  • login.hfs923.shop
  • login.karlandpearson.com
  • login.klm2136.click
  • login.login-micro.mcrsfts-passwdupdate.com
  • login.mcrosfts-updata.live
  • login.mcrosfts-update.cloud
  • login.mcrosfts-update.digital
  • login.mcrosftts-update.cloud
  • login.mcrsft-audio.xyz
  • login.mcrsfts-cloud.live
  • login.mcrsfts-passwd.cloud
  • login.mcrsfts-passwd.digital
  • login.mcrsfts-passwdupdate.com
  • login.actionspsort.cam
  • login.akasmisoft.xyz
  • login.aueuth11.live
  • login.auth009.xyz
  • login.auth2022.live
  • login.auth83kl.live
  • login.bittermann-hh.co
  • login.cbhbanlc.com
  • login.cleanifl.com
  • login.clfonl365.xyz
  • login.gddss36.live
  • login.grodno-pl.com

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1036.005
MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION
oldbait installs itself in %alluserprofile%\application data\microsoft\mediaplayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."
T1027
OBFUSCATED FILES OR INFORMATION
oldbait obfuscates internal strings and unpacks them at startup.
T1555
CREDENTIALS FROM PASSWORD STORES
oldbait collects credentials from several email clients.
T1555.003
CREDENTIALS FROM PASSWORD STORES : CREDENTIALS FROM WEB BROWSERS
oldbait collects credentials from internet explorer, mozilla firefox, and eudora.
T1071.001
APPLICATION LAYER PROTOCOL : WEB PROTOCOLS
oldbait can use http for c2.
T1071.003
APPLICATION LAYER PROTOCOL : MAIL PROTOCOLS
oldbait can use smtp for c2.