Cracking Braodo Stealer: Analyzing Python Malware and Its Obfuscated Loader

Braodo Stealer is one of the many active and evolving malware families designed to steal sensitive information, such as credentials, cookies, and system data, from compromised machines. Typically written in Python, this malware employs a variety of obfuscation techniques to conceal its true intentions, making it challenging for security solutions to identify.

This malware leverages popular developer platforms like GitHub and GitLab for distributing its payloads, often utilizing these repositories to host malicious code disguised as legitimate projects. Furthermore, it employs Telegram bots as command-and-control (C2) channels, allowing attackers to communicate stealthily and exfiltrate stolen data efficiently.

In this blog, the Splunk Threat Research Team will share an analysis of Braodo Stealer. We will break down its loader mechanisms, obfuscation strategies, and payload behavior to provide a clearer understanding of its operations. Additionally, we will share insights into detection techniques and defense strategies to empower security professionals in identifying and mitigating this growing threat effectively.

Code Repositories (T1213)

The Splunk Threat Research Team has observed several active Braodo Stealer campaigns in the wild, abusing popular developer platforms like GitHub and GitLab, which allow developers to create, store, manage, and share their code. These platforms are abused to host and distribute malicious payloads, as seen in various campaigns. Notably, security researchers, including @suyog41, have shared insights into the latest variants of this malware family. 

Figure 01 and 02 below highlight one such GitLab and GitHub repository, where an archive package containing the Braodo Stealer payload is stored. This payload is later downloaded by the batch script loader as part of the malware's infection process.

^{Figure 01: Gitlab that Host Braodo Stealer}

^{Figure 02: Github that Host Braodo Stealer}

Loader (Batch Script)

Command Obfuscation (T1027.010)

The Braodo Stealer campaign commonly employs an obfuscated batch script as a loader for its actual Python payload. This batch script utilizes various techniques designed to hinder static analysis, making it more difficult for security researchers to detect and analyze its behavior. 

Random Named Environment Variable 

Braodo Stealer utilizes randomly named environment variables to obfuscate the actual script it intends to execute. These variables are used to dynamically construct the batch script at runtime, making static analysis significantly more difficult. However, this obfuscation can be reversed using techniques such as string replacement or the print method, as detailed in the Splunk Threat Research Team’s blog AsyncRAT Crusade: Detections and Defense.

^{Figure 03: Random named Environment variable}

Byte Order Mark (BOM) and Obfuscator

The Splunk Threat Research Team also observed that Braodo Stealer employed the use of a Byte Order Mark (BOM) in its batch script to deceive text editors and certain command-line tools into interpreting the script as Unicode. This tactic causes the script to appear like gibberish or as though it is written in another language, effectively making it harder to analyze and understand.

Additionally, once the BOM bytes are removed from the batch script, it becomes evident that Braodo Stealer uses an open-source batch script obfuscator called ABOBUS. This obfuscator can apply up to 10 layers of various obfuscation techniques, significantly complicating efforts to recover the original batch script that is set to be executed. These multiple layers of obfuscation are designed to make reverse engineering and analysis more challenging.

Figure 04 provides a screenshot illustrating the appearance of the heavily obfuscated batch script before and after removing the byte order mark bytes.

^{Figure 04: ABOBUS Obfuscator}

Leveraging this information about the obfuscator, the Splunk Threat Research Team was able to hunt for additional new samples with very low detection rates on VirusTotal, as demonstrated in Figure 05. This information shows how this obfuscator is being utilized by threat actors to evade detections.

^{Figure 05: Threat Hunting Braodo Stealer Loader}

By analyzing the code of the ABOBUS obfuscator, the Splunk Threat Research Team was able to deobfuscate the batch script loader, revealing its true intent like what we can see in Figure 06. 

The batch script is designed to execute a PowerShell command that downloads the actual payload from a GitLab or GitHub repository, which functions as its C2 server. The downloaded file is a zip archive containing several Python libraries along with a second-stage payload named "rz_317.pd." This Python script is responsible for decrypting and loading the actual Braodo Stealer, completing the infection chain.

^{Figure 06: Deobfuscated Braodo Stealer “ABOBUS Obfuscated” Loader}

Second Stager (Python Script)

Encrypted/Encoded File (T1027.013)

Figure 07 presents a screenshot of the second-stage Python script, which is responsible for base64 decoding and decrypting the AES-encrypted Braodo Stealer payload stored in the "Error_cache.db" file. Once the payload is successfully decoded and decrypted, the script proceeds to execute it, completing the malware's deployment process.

^{Figure 07: Second Stage Python Script}

Braodo Stealer Tactics and Techniques

Registry Run Keys (T1547.001)

Some variants of this Braodo Stealer utilized the registry run keys to gain persistence on the compromised or targeted host to survive or to automatically execute its code upon system boot up.

^{Figure 08: Registry Run Keys}

Screen Capture (T1113)

Figure 09 provides a screenshot showcasing Braodo's functionality for capturing an image of the compromised host's screen. The screenshot is saved as "screenshot.png" in the %temp% folder and is included in the archive of collected data, along with browser credentials, cookies, and other sensitive information.

^{Figure 9: Screen Capture Capability}

Clipboard Data (T1115)

In addition to its screen capture capability, Braodo Stealer also collects clipboard data, which can serve as a valuable source of sensitive information such as usernames and passwords that the user may have copied and pasted on the compromised host.

^{Figure 10: Collect Clipboard Data}

System Information Discovery (T1082)

As part of its beaconing and data exfiltration process, Braodo Stealer gathers various system details, including the country code, city, OS version, username, and hostname. It also collects a list of running processes, which is saved to "%temp%/window.txt" using the tasklist command-line tool. This information is used to better understand the compromised environment and facilitate further malicious actions.

^{Figure 11: System Information}

^{Figure 12: Process List}

Credentials from Web Browsers (T1555.003)

The primary functionality of Braodo Stealer is to collect and exfiltrate credentials, particularly from web browsers. Figure 13 displays a code snippet from one variant of Braodo Stealer, showing its ability to target popular browsers such as Chrome, Firefox, MS Edge, Opera, Brave, and Chromium. The malware decodes and decrypts credentials stored within these browsers. To avoid access errors when extracting encrypted data like master keys and passwords, Braodo Stealer first attempts to terminate the main browser process before proceeding with the decryption.

^{Figure 13: Targeted Browser}

Figure 14 presents a screenshot of the data collected by Braodo Stealer, including decrypted passwords and usernames extracted from targeted web browsers. This information is stored in the %temp% folder, then archived for exfiltration to the malware's C2 server.

^{Figure 14: Braodo Stealer Collected Data}

Exfiltration Over C2 Channel (T1041)

This malware utilizes a Telegram bot as its C2 server, enabling it to transmit all collected sensitive data from the compromised host to the attackers. Telegram's API is leveraged for stealthy and efficient communication.

^{Figure 15: Telegram Bot C2 server}

Detections

Windows Credentials from Web Browsers Saved in TEMP Folder

The following analytic detects the creation of files containing passwords, cookies, and saved login account information by the Braodo Stealer malware in temporary folders. Braodo often collects these credentials from browsers and applications, storing them in temp directories before exfiltration.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
  where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" 
  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
  | `drop_dm_object_name(Filesystem)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

^{Figure 16: Windows Credentials from Web Browsers Saved in TEMP Folder Detection}

Windows Credentials from Password Stores Chrome Copied in TEMP Folder

The following analytic detects the copying of Chrome's Local State and Login Data files into temporary folders, a tactic often used by the Braodo stealer malware. These files contain encrypted user credentials, including saved passwords and login session details.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
  where Filesystem.file_name IN ("login*", "pass*","cookie*","master_key*") Filesystem.file_path = "*\\temp\\*" 
  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
  | `drop_dm_object_name(Filesystem)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

^{Figure 17: Windows Credentials from Password Stores Chrome Copied in TEMP Folder}

Windows Disable or Stop Browser Process

The following analytic detects the use of the taskkill command in a process command line to terminate several known browser processes, a technique commonly employed by the Braodo stealer malware to steal credentials. By forcefully closing browsers like Chrome, Edge, and Firefox, the malware can unlock files that store sensitive information, such as passwords and login data.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
  where Processes.process = "*taskkill*" Processes.process IN("*chrome.exe","*firefox.exe","*brave.exe","*opera.exe","*msedge.exe","*chromium.exe")
  by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id
  Processes.parent_process_id 
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`

^{Figure 18: Windows Disable or Stop Browser Process Detection}

Windows Screen Capture in TEMP folder

The following analytic detects the creation of screen capture files by the Braodo Stealer malware. This stealer is known to capture screenshots of the victim's desktop as part of its data theft activities. The detection focuses on identifying unusual screen capture activity, especially when images are saved in directories often used by malware, such as temporary or hidden folders.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
  where Filesystem.file_name IN ("screenshot.png", "screenshot.jpg","screenshot.bmp") Filesystem.file_path = "*\\temp\\*" 
  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
  | `drop_dm_object_name(Filesystem)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)`

^{Figure 19: Windows Screen Capture in TEMP Folder Detection}

Windows Archived Collected Data In TEMP Folder

The following analytic detects the creation of archived files in a temporary folder, which may contain collected data. This behavior is often associated with malicious activity, where attackers compress sensitive information before exfiltration.

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem 
  where Filesystem.file_name IN ("*.zip", "*.rar", "*.tar", "*.7z") Filesystem.file_path = "*\\temp\\*" 
  by _time Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_create_time 
  | `drop_dm_object_name(Filesystem)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

^{Figure 20: Windows Archived Collected Data In TEMP Folder Detection}

IOCs

Learn More

This blog helps security analysts, blue teamers and Splunk customers identify Braodo Stealer malware by enabling the community to discover related tactics, techniques, and procedures used by threat actors and adversaries. You can implement the detections in this blog using the Enterprise Security Content Updates app or the Splunk Security Essentials app. To view the Splunk Threat Research Team's complete security content repository, visit research.splunk.com.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions.