Back to overview

Threat intelligence

An In-Depth Look at Scarface Stealer

by Security News

Overview

This week, the SonicWall Capture Labs Threat Research team analyzed a sample of ScarfaceStealer, a Go-compiled information stealer that utilizes sophisticated anti-analysis techniques including:

  1. Heavy String Obfuscation - Uses space/rocket-themed junk strings to evade detection
  2. Function Name Obfuscation - Main functions use randomly concatenated English words
  3. Go Embed Package - Embeds configuration/payloads within the binary
  4. Minimal Visible Strings - Only 47 strings visible through Ghidra's string analysis

Technical Overview and Infection Cycle

Initial detection shows an unknown file type, but sections and section data show that the file is a Golang binary. The timestamps have also been tampered with to show a compile time of 1969. 

die.png
Fig. 1: Initial Detection

 

go-sections.png
Fig. 2: Go build ID and .symtab section

The file is heavily obfuscated with both function calls and strings. During runtime, these do not decode or rename themselves.

generated_names.png
Fig. 3: Obfuscated functions

At runtime, the following is executed:

Phase 1: Initialization

  1. main.Introducing - Initializes malware components
  2. main.Impossible - Performs anti-VM/sandbox checks
  3. main.Existence - Checks for existing infections

Phase 2: Target Identification

  1. main.Identifying - Fingerprints the system
  2. main.Selecting - Identifies valuable targets (browsers, wallets)

Phase 3: Data Collection

  1. main.Solutions - Core stealing functionality
  2. main.Microphone - Audio capture
  3. main.Thumbnails - Screenshot capture
  4. main.Demonstrate - Extensive data gathering

Phase 4: Staging

  1. main.Preparing - Stages collected data
  2. main.Allowance - Manages resource allocation

Phase 5: Exfiltration

  1. main.Coordinate - Coordinates with C2
  2. main.Descending - Exfiltrates data
It should be noted that the binary is heavily anti-analysis, with multiple traps that will hinder or kill a debugger when attempting to step through runtime. Here are examples of items that may or may not run depending on set flags during debugging:
LAUNCH_COMMAND, trajectory_calibration, TELEMETRY, orbital_insertion, IGNITION, HANDSHAKE_COMPLETE, MISSION_ABORT, FUEL_SYSTEM_NOMINAL
Stage1, Stage2, Stage3, prelaunch, countdown, liftoff
ALPHA_ZULU, BRAVO_TANGO, GPS-Galileo-GLONASS
trajectory_optimization_score, gravitational_alignment_value
quaternary_stabilization_node, quantum_entanglement

Configuration and payloads may be embedded within the binary using Go's embed package.

Imported DLLs and Capabilities

DLL Dependencies

DLLPurpose
kernel32.dllCore Windows operations (file I/O, memory management, process control)
ntdll.dllLow-level NT functions
advapi32.dllRegistry operations, security functions
ws2_32.dllWinsock networking
dnsapi.dllDNS query operations
crypt32.dllCryptographic functions
mswsock.dllMicrosoft Windows sockets extensions
secur32.dllSecurity support provider interface
shell32.dllShell operations
userenv.dllUser environment management
iphlpapi.dllIP helper API (network configuration)
netapi32.dllNetwork management

Key Windows API Functions

File Operations
  • CreateFileWDeleteFileWMoveFileW
  • ReadFileWriteFileSetEndOfFile
  • GetFileAttributesWSetFileAttributesW
  • GetTempPathWGetCurrentDirectoryW
  • FindCloseCreateFileMappingW
Process/Thread Operations
  • CreateThreadCreateProcessAsUserW
  • OpenProcessExitProcess
  • GetCurrentProcessIdGetExitCodeProcess
  • TerminateProcessWaitForSingleObject
Memory Management
  • VirtualAllocVirtualFreeVirtualQueryVirtualLock
  • LocalAllocLocalFree
Registry Operations
  • RegCloseKeyRegCreateKeyExW
  • RegQueryValueExWRegQueryInfoKeyW
  • RegLoadMUIStringWRegDeleteValueW
Network Operations
  • WSAStartupWSACleanupWSAIoctl
  • WSARecvFromWSASendTo
  • closesocketgetsocknamegetpeername
  • getsockoptsetsockopt
  • DnsQuery_WDnsRecordListFree
  • GetAddrInfoWTransmitFileAcceptEx
Cryptographic Operations
  • CryptAcquireContextWCryptReleaseContext
  • CertOpenSystemStoreWCertGetCertificateChain
Security/Authentication
  • GetTokenInformationLookupAccountSidW
  • LookupAccountNameWConvertSidToStringSidW
  • ConvertStringSidToSidWGetLengthSid

Readable Main Functions

The following exported functions likely contain the core malware logic:

FunctionLikely Purpose
main.AllowanceResource allocation/permission checks
main.CoordinateData coordination/C2 communication
main.DemonstrateCore functionality (multiple sub-functions)
main.DescendingData exfiltration/download
main.ExistencePersistence mechanism checks
main.IdentifyingTarget identification/fingerprinting
main.ImpossibleAnti-analysis/VM detection
main.IntroducingInitialization routines
main.InvestingResource gathering
main.MasturbationData stealing
main.MicrophoneAudio capture capability
main.PreparingPre-exfiltration staging
main.SelectingTarget selection
main.SolutionsCore stealer logic
main.ThumbnailsImage/screenshot capture
main.TypicallyStandard operations

Suspected Capabilities

Based on code analysis, this stealer likely targets:

Browser Data
  • Cookies
  • Saved passwords (Login Data)
  • Browser history
  • Autofill data
System Information
  • Hardware fingerprinting
  • Network configuration
  • User account details
  • Installed software
Communication
  • Uses net/http for HTTP communications
  • TLS support (crypto/tls, crypto/x509)
  • DNS operations for domain resolution
Audio Capture
  • main.Microphone function suggests audio recording capability
Screen Capture
  • main.Thumbnails function suggests screenshot capability

 

The following ciphers are referenced throughout the file:

AlgorithmUsage
AES256Data encryption
ChaCha20Stream cipher
SHA3-512Hashing
BLAKE2bHashing
RSA1024/RSA2048Asymmetric encryption
WhirlpoolHashing
TLS 1.0/1.3Secure communication

MITRE ATT&CK Mapping

Technique IDTechnique NameEvidence
T1059Command and Scripting Interpreteros/exec package
T1005Data from Local SystemFile access APIs
T1012Query RegistryRegistry API imports
T1082System Information DiscoverySystem info collection
T1083File and Directory DiscoveryFile enumeration APIs
T1071Application Layer ProtocolHTTP/TLS communication
T1027Obfuscated Files or InformationSpace-themed string obfuscation
T1041Exfiltration Over C2 ChannelNetwork APIs
T1123Audio Capturemain.Microphone function
T1113Screen Capturemain.Thumbnails function
T1056Input CaptureCredential stealing

Conclusion

This ScarfaceStealer sample represents a moderately sophisticated Go-based information stealer that employs creative obfuscation techniques to evade detection and hinder analysis. The space/rocket mission themed strings are a unique fingerprint of this malware family. The use of Go provides cross-platform potential while complicating reverse engineering due to Go's unique calling conventions and runtime. The embedded configuration via Go's embed package suggests the malware may be easily repackaged with different C2 configurations.

Sonicwall Protection

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ScarfaceStealer.Rocket (Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI™ and the Capture Client endpoint solution.

IOCs

34bf38875030dbee3e231dcfd05505fae829475e68dd2db2f0ec204593cd3212

 

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.