Threat Analysis Unit - Threat Intelligence Notification
Title: TAU-TIN – Borr Info Stealer
Summary
“Borr” is an Info Stealer that will steal various sensitive information from the victim’s computer. Borr Info Stealer will make connections to a Command & Control (C&C) Server and, depending on the configuration from the C&C server, it may issue commands to perform various malicious activities on the victim’s computer. It is able to able to steal sensitive information and passwords from web browsers, mail, FTP clients, cryptocurrency wallets, and other applications from the compromised system.
This post serves to inform our customers about detection and protection capabilities within the VMware Carbon Black suite of products against Borr Info Stealer.
Behavioral Summary
Borr will collect the stolen sensitive information to put in a folder in “C:\ProgramData\PSSLB.tmp\” and compress them into a zip file then send it to the command and control(C&C) server.
Figure 1: Screenshot of stolen data and file by Borr
VMware Carbon Black Cloud Endpoint Standard (CB Defense) will display the malware’s overall triggered TTPs.
MITRE ATT&CK TIDs
| TID | Tactics | Technique |
|---|---|---|
| T1045 | Defense Evasion | Software Packing |
| T1081 | Credential Access | Credentials in Files |
| T1083 | Discovery | File and Directory Discovery |
| T1119 | Collection | Automated Collection |
| T1005 | Collection | Data from Local System |
| T1012 | Discovery | Query Registry |
| T1082 | Discovery | System Information Discovery |
| T1002 | Exfiltration | Data Compressed |
| T1043 | Command and Control | Commonly Used Ports |
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
|---|---|---|
| fcae8b0bb6f188c6c0c6ed0bfe8b9ac18b9fc8c146e905998c7f330ead6787c3 | SHA256 | Borr Info Stealer |
| 6a4c314d4953f10e3877baa1333868576baa34122d8c950577bfa37f870d7843 | SHA256 | Borr Info Stealer |
| 2c91e45bce82d4ca81f974a5f3139351d903eec9e1b04300f4c5673ff32bc853 | SHA256 | Borr Info Stealer |
| b15689e4e5dd17fc506b08abbcaadfff9e5445687ca20e23bf06c318e3bb8a5e | SHA256 | Borr Info Stealer |
| 03751e4a982634ffd50ad80c9a1e50a7df40bf932a2baeeb9696ad150f598615 | SHA256 | Borr Info Stealer |
| 7d8b71940fcdcfb3f93642c46ba0c487 | MD5 | Borr Info Stealer |
| 7665c216e741575991f1051557b57bc9 | MD5 | Borr Info Stealer |
| d918bfc80585f1e5fc1439e2b0db3947 | MD5 | Borr Info Stealer |
| 29a47b3caac041f4f039914a9a19c971 | MD5 | Borr Info Stealer |
| 9e89607980478343bbe1026e8b296ded | MD5 | Borr Info Stealer |
| 176.57.69.214 | IP Address | Command and Control (C&C) Server |
| 92.63.197.188 | IP Address | Command and Control (C&C) Server |
| 5.188.60.58 | IP Address | Command and Control (C&C) Server |
About TAU-TIN
TAU-TIN (Threat Analysis Unit - Threat Intelligence Notification) is a report by Carbon Black's TAU (Threat Analysis Unit) to help customers detect and prevent emerging threats.
