Detecting DeerStealer malware with Wazuh

DeerStealer is a Windows-based stealer malware designed to steal sensitive user information, including login credentials, web browser data, and cryptocurrency wallet contents. It has similarities with other stealer malware like XFiles and Lummar. It is commonly spread through phishing emails and malvertising campaigns that appear trustworthy like the Google Authenticator incident.

Upon infecting a system, DeerStealer collects and transmits the stolen data to a remote command and control (C2) server. It persists on compromised systems by modifying registry keys, generating malicious executables, ensuring it can survive system reboots and continue its malicious activities uninterrupted.

DeerStealer poses as a legitimate download package increasing the risk for users who may unknowingly download and run it. This ability makes the DeerStealer malware very dangerous to both users and organizations who possess sensitive data. To mitigate the risk posed by DeerStealer, this blog post shows how to detect a DeerStealer malware infection on Windows endpoints with Wazuh.

DeerStealer behavior

Below are behaviors exhibited by DeerStealer malware when it is executed on a Windows endpoint:

• It performs system information discovery to determine if it is running in a sandbox or virtual environment. It usually collects hardware identifiers (HWID) and transmits them to a command and control (C2) server.
• It creates, modifies, and deletes Windows registry keys in the following paths to persist its operations:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bam\State\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  • HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\
• It runs directly in memory without leaving any trace on the system disk to avoid detection.
• It scans infected systems for credentials from web browsers, email clients, and cryptographic wallets. It extracts the data and sends it to its command and control (C2) server.
• It communicates with a command and control (C2) server via POST requests to send stolen data, often using encrypted communication through simple XOR encryption.

Analyzed sample

Type	Value
SHA256	72E18D1F94925F558F47BAF67848E00775A07622DF025EBCE3C1264296D6D44E
SHA1	3A689C14F50B7569FD3452E640C53CD9B7C173B2
MD5	df3fc9d0e3234bec4a4a21004056d0e3

Infrastructure

The following infrastructure is used to demonstrate the detection of DeerStealer malware with Wazuh:

• A pre-built, ready-to-use Wazuh OVA 4.9.2 which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
• A Windows 11 victim endpoint with Wazuh agent version 4.9.2 installed and enrolled on the Wazuh server.

Detection with Wazuh

In this section, we show how to configure the detection of the DeerStealer malware with Wazuh.

Windows endpoint

We use Sysmon to monitor several system events such as file creation, registry, DNS queries, and process execution on the victim Windows endpoint.

Perform the following steps to configure the Wazuh agent to collect and forward Sysmon logs from the Windows endpoint to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Use PowerShell with administrator privilege to create a Sysmon folder in the C:\ folder:

> New-Item -ItemType Directory -Path C:\Sysmon

3. Extract the content of the compressed Sysmon file to the  C:\Sysmon folder:

> Expand-Archive -Path "<PATH>\Sysmon.zip" -DestinationPath "C:\Sysmon"

Replace <PATH> with the path where the Sysmon.zip file was downloaded.

4. Download the Sysmon configuration file – sysmonconfig.xml to the C:\Sysmon folder using the PowerShell command below:

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml

5. Switch to the directory with the Sysmon executable and run the command below to install and start Sysmon using PowerShell with administrator privileges:

> cd C:\Sysmon 
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

6. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

7. Restart the Wazuh agent to apply the configuration changes by running the following PowerShell command as an administrator:

> Restart-Service -Name wazuh

Wazuh server

We create custom rules to generate alerts when DeerStealer malware activities are detected on the Windows endpoint. Perform the following steps to create detection rules on the Wazuh server.

1. Create a custom rule file deerstealer_rules.xml in the /var/ossec/etc/rules/ directory of the Wazuh server:

# touch /var/ossec/etc/rules/deerstealer_rules.xml

2. Add the custom rules for the DeerStealer malware below to the /var/ossec/etc/rules/deerstealer_rules.xml file:

<group name="deerstealer, stealer-malware,">

<!-- Persistence detection -->
  <rule id="111200" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">\\\\(Windows|Users)\\\\.+\\\\(skotes|cmd|ActiveISO|sxqnmytm|DllHost|(?!(svchost.exe|powershell.exe))\w+).exe</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">\\\\Windows\\\\SysWOW64.+(mstask|Bichromate|msvcp140|Qt5Core|Qt5Gui|Qt5Network|Qt5PrintSupport|Qt5Widgets|StarBurn|vcruntime140|msvcp140).+dll</field>
    <description>Possible DeerStealer malware detected. New scheduled task: $(win.eventdata.imageLoaded) was created by: $(win.eventdata.image).</description>
    <mitre>
      <id>T1053.005</id>
    </mitre>
  </rule>

<!-- Malicious file creation -->
  <rule id="111201" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">\\\\(Windows|Users)\\\\.+\\\\(skotes|cmd|(?!(svchost.exe))\w+).exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">\\\\(Windows|Users)\\\\.+\\\\(skotes|ActiveISO|sxqnmytm|DllHost|CHROME.EXE|ELEVATION_SERVICE.EXE|SKOTES.EXE)(.job|.exe|.pf|.js)</field>
    <description>Possible DeerStealer malware activity detected. Malicious file created at $(win.eventdata.targetFilename) by $(win.eventdata.image).</description>
    <mitre>
      <id>T1059</id>
      <id>T1105</id>
    </mitre>
  </rule>


<!-- Executable dropped in Malicious location -->
  <rule id="111202" level="12">
    <if_sid>92213</if_sid>
    <field name="win.eventdata.image" type="pcre2">\\\\(Windows|Users)\\\\.+\\\\(svchost|skotes|cmd|\w+|\d+).exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">\\\\Users\\\\.+\\\\AppData\\\\Local\\\\.+(skotes|ActiveISO|sxqnmytm|DllHost)|(.job|.exe|.pf|.js)</field>
    <description>Possible DeerStealer malware activity detected. Executable file dropped in folder commonly used by malware: $(win.eventdata.targetFilename).</description>
    <mitre>
      <id>T1105</id>
      <id>T1059</id>
    </mitre>
  </rule>

<!-- Process creation -->
  <rule id="111203" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">\\\\Users\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+skotes.exe</field>
    <description>Possible DeerStealer malware executable: $(win.eventdata.commandLine) was run.</description>
    <mitre>
      <id>T1543</id>
    </mitre>
  </rule>

<!-- Network connection to C2 server -->
  <rule id="111204" level="12">
    <if_sid>61605</if_sid>
    <field name="win.eventdata.image" type="pcre2">\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\\\\(skotes|\w+).exe</field>
    <field name="win.system.message" type="pcre2">Network connection detected</field>
      <field name="win.eventdata.destinationPort" type="pcre2">80</field>
    <description>Possible DeerStealer network connection to C2 server: $(win.eventdata.destinationIp) on port: $(win.eventdata.destinationPort).</description>
    <mitre>
      <id>T1105</id>
    </mitre>
  </rule>

<!-- Registry tampering - targeting HKLM -->
  <rule id="111205" level="12">
    <if_sid>61614, 61615</if_sid>
    <field name="win.eventdata.image" type="pcre2">\\\\(Windows|Users)\\\\.+\\\\(skotes|cmd|karat|(?!(svchost.exe))\w+).exe</field>
    <field name="win.eventdata.eventType" type="pcre2">(CreateKey|SetValue)</field>
    <field name="win.eventdata.targetObject" type="pcre2">HKLM\\\\(System|SOFTWARE)\\\\(CurrentControlSet|Microsoft)\\\\(Control|Windows NT|Services)\\\\(SecurityProviders|CurrentVersion|bam)\\\\.+\\\\(skotes|ActiveISO|sxqnmytm|DllHost|msedge|chrome|cmd).exe</field>
    <description>Possible DeerStealer malware executable, $(win.eventdata.image) performed $(win.eventdata.eventType) on $(win.eventdata.targetObject).</description>
    <mitre>
      <id>T1543</id>
      <id>T1053.005</id>
    </mitre>
  </rule>

<!-- Registry tampering - targeting HKU for persistence on next logon -->
  <rule id="111206" level="12">
    <if_sid>61614, 61615, 92300</if_sid>
    <field name="win.eventdata.image" type="pcre2">\\\\(Windows|Users)\\\\.+\\\\(skotes|cmd|karat(?!(svchost.exe))).exe</field>
    <field name="win.eventdata.eventType" type="pcre2">(CreateKey|SetValue)</field>
    <field name="win.eventdata.targetObject" type="pcre2">HKU\\\\.+\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.+exe</field>
    <description>Possible DeerStealer malware executable, $(win.eventdata.image) performed $(win.eventdata.eventType) on $(win.eventdata.targetObject).</description>
    <mitre>
      <id>T1547</id>
      <id>T1053.005</id>
    </mitre>
  </rule>

</group>

Below are the rules triggered by the DeerStealer malware activities and their trigger conditions:

Rule ID	Trigger condition
111200	Triggered when DeerStealer malware creates a malicious file.
111201	Triggered when DeerStealer malware schedules a new task.
111202	Triggered when DeerStealer malware drops an executable in the C:\Users\<USERNAME>\AppData\Local\Temp directory. This directory is commonly used by malware.
111203	Triggered when a DeerStealer malware executable is run.
111204	Triggered when DeerStealer malware makes a network connection to the command and control (C2) server. This connection uses port 80.
111205	Triggered when DeerStealer malware tampers with the HKEY_LOCAL_MACHINE registry.
111206	Triggered when DeerStealer malware tampers with the HKEY_USERS registry.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Visualizing alerts on the Wazuh dashboard

The alerts below are generated on the Wazuh dashboard when the DeerStealer malware is executed on the victim endpoint. Perform the following steps to view the alerts on the Wazuh dashboard.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Filter for rule.groups in the Field field.

3. Filter for is in the Operator field.

4. Filter for deerstealer in the Value field.

5. Click Save to enable the filter.

Conclusion

This blog shows how to detect DeerStealer malware on a Windows endpoint using Wazuh. By integrating Sysmon, we enhance Windows event logs from the affected endpoint and create rules to identify malicious activities linked to DeerStealer.

Wazuh is a free, open source enterprise-ready security platform for threat detection, incident response, and compliance. Wazuh integrates with third-party platforms. Wazuh also has a growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References

• DeerStealer malware analysis by AnyRun.
• Threat actor impersonates Google via fake ad for Authenticator.