💎 WhiteSnake - Stealer for APT attacks

[WhiteSnake]

White Snake update 1.5.9.2

• Authy and WinAuth session recovery.
• Detect and highlight gov domains in passwords.
• Stub now generating random network traffic to confuse researchers and sandboxes.
• Builder now can append random resources to make build more unique and avoid some GEN detects.
• Cleaned ESET static detects (a variant of MSIL/Spy.WhiteSnake.C trojan)
• Small optimizations.

 

[WhiteSnake]

White Snake update 1.5.9.3

• Keylogger was added.
• Stub cleaned.
• Small fixes.

 

[WhiteSnake]

White Snake update 1.5.9.4

• Linux stub reporting method updated.
• Cleaned WD/Eset detects on windows stub.
• Builder checkbox display fixes.
• Small changes in activation window.
• Some new icons in builder.

1 file

avcheck.net

 

[WhiteSnake]

White Snake update 1.5.9.5

• Cleaned static eset detect (a variant of MSIL/Spy.WhiteSnake.D)
• Dynamic WinAPI calls (Will decrease runtime detects)
• New string encoding methods added.
• Fixes with downloader.

Current static detects: https://avcheck.net/id/x6VXiffIeANA

 

[WhiteSnake]

White Snake update 1.5.9.6

• Panel update:

View victim's instagram automatic action.
View victim's github automatic action.
View victim's page on all Xenforo engine based forums (lolz[.]guru and etc)
View running processes and installed applications.
process-list terminal command was added.
ls terminal command was added. (Better then using windows dir command, lol)
stream desktop/webcam (Compatible with old builds)

• Stub update:

Faster data collection, fewer runtime detects.
USB spread.
Local users spread (Install stealer to other users on victim's pc; requires user login)

1 file

avcheck.net

 

[crypt0]

4/26 detections already after stub cleaning skidz must be uploading the bare stub to Virus total or some shitz bro why are people so stupid in this way ???

 

[WhiteSnake]

Посмотреть вложение 55867

4/26 detections already after stub cleaning skidz must be uploading the bare stub to Virus total or some shitz bro why are people so stupid in this way ???

Yeah. Some people is stupid, but idk who

 

[WhiteSnake]

White Snake update 1.5.9.7

• DPAPI decrypt remote terminal command.
• Optimized string encryption in builder
• Input values verification in builder.
• Panel installer optimizations.
• Chrome decryption fixes.
• Code refactoring.
• Cleaned Eset detect (MSIL/Spy.WhiteSnake.E trojan)

P.S (MSI file extension is FUD in scantime)

 

[WhiteSnake]

Now we have very powerful server.
it will be easier to expand the infrastructure in new updates.

 

[WhiteSnake]

White Snake update 1.5.9.8

• Signal chats decrypt/export automatic action.
• Roblox account info automatic action.
• Signal recovery for linux stub (tested on ubuntu and manjaro)
• Cleaned ESET static detect.
• Tabs with no data will be hidden.
• Fixed JSON report system info.
• Small fixes in dark theme.

 

[WhiteSnake]

White Snake update 1.5.9.9

• Progress bar for log download using "Open" button from tg bot.
• Added automatic action to view VK, Facebook, Twitch profiles.
• Added Chrome token service decryption.
• Added Opera Stable and Opera GX recovery.
• Updated user-agents generator.
• Updated telegram collection (now by process)
• Cleaned Eset GEN detect.
• Report parser/converter fixes

Remote terminal changes (Look help command for more info.

• Added 'transfer' command (To upload file and get direct url; Will be faster then uploading using tor)
• Added 'compress' command to create ZIP archive from directory.
• Added 'decompress' command to extract ZIP.
• Small changes with loader command (You can specify if need to download and run file or just download)

 

[WhiteSnake]

White Snake update 1.6

• Added LNK exploit builder.
• Cleaned WD detect.
• Some stub optimizations.

 

[madness]

White Snake update 1.6

• Added LNK exploit builder.
• Cleaned WD detect.
• Some stub optimizations.

whitesneak taking stealers to new level ​

 

[WhiteSnake]

White Snake update 1.6.0.1

• Сhrome cookies decryption fixes.
• Morpher fixes, now crypted (https://t.me/FoxCrypt_BOT) stub will not crash. (Maybe)
• Cleaned WD detect. (Plz do not upload to VirusTotal)
• Added automatic action to view wallet info from Ledger Live.
• Added PDF extension into LNK exploit builder. (Requires Adobe Reader installed to display icon)
• Added browsers history view. (Requires new build)

 

[BrexitC]

The malware looks great, does it uses the api.telegram as a Command and Control or you can configure a C2 IP?

 

[WhiteSnake]

White Snake update 1.6.0.2

• Added Exodus Wallet bruteforce automatic action.
• Added new execution technique to LNK builder.
• Fixed execution problem on some systems of LNK file.
• Updated automatic action with browser cloning. Now it works more faster and better with all data import from Chrome and FF based browsers (Also compatible with old reports)

 

[WhiteSnake]

The malware looks great, does it uses the api.telegram as a Command and Control or you can configure a C2 IP?

Currently using telegram, but we working on custom C2. In next updates you will be able to choose your exfiltration method.

 

[Mikasaki]

Regarding the macro builds. Can they be attached to email like other doc and xls macros?

 

[WhiteSnake]

Regarding the macro builds. Can they be attached to email like other doc and xls macros?

Yep, but success execution depends from MS office version and etc.

 

[BrexitC]

You can use the "new" zip or move domains created by google to try to get new victims, just and idea