WhiteSnake - Stealer for APT attacks

[WhiteSnake]

Windows stub features​

• File loader.
• Leaves no trace.
• Strong log encryption.
• No server/ports needed. (All infrastructure works over tor network)
• Fast execution in memory.
• You able to install beacon into victim PC for remote access.
• Functionality can be extended by editing grabber commands tab in builder.
• USB spread
• Local users spread (Install stealer to other users on victim's pc; requires user login)
• Browsers history view

Apps collection:

Firefox, Chrome, Chromium, Edge, Brave, Vivaldi, CocCoc, CentBrowser, Thunderbird, OBS-Studio, FileZilla, Snowflake-SSH, Steam, Signal, Telegram, Discord, Pidgin, Authy, WinAuth, Outlook, Foxmail, The Bat!, CoreFTP, WinSCP, AzireVPN, WindscribeVPN.

Wallets:

Atomic, Wasabi, Exodus, Binance, Jaxx, Zcash, Electrum-LTC, Guarda, Coinomi, BitcoinCore, Electrum, Metamask, Ronin, BinanceChain, TronLink, Phantom.

Payload available extensions list:

EXE, SCR, COM, CMD, BAT, VBS, PIF, WSF, hta, MSI, PY, DOC, DOCM, XLS, XLL, XLSM.

Linux stub features​

Apps collection:

Firefox, Exodus, Electrum, FileZilla, Thunderbird, Pidgin, Telegram.

• File size: ~5kb
• Coding language: Python
• PY and SH output extensions available.
• Signal recovery(tested on ubuntu and manjaro)

Panel features​

Builder​

• In builder you can generate payload.

You need to set telegram bot token and chat id.
Use @BotFather to create new bot and @chatIDrobot to receive your chatid.
Don't forget to write /start command to initialize it.

• You can select execution method (Non-resident or Resident)

Non-Resident stub will steal data and self-destruct.
Resident stub will steal data and you will be able to control victim PC later.

Builder can generate python library and automatically upload to PyPi.

Malicious library can be injected into any legit project or python file, it works on windows and linux.

 

[WhiteSnake]

• You can set fake digital signature.
• File size pumper.

You can expose local IP:PORT on victim's device. (To access the local network):

• proxy-setup command (Allows you to setup SOCKS5 proxy from victim pc)
• netdiscover command (Allows you to perform LAN scan for devices and open ports)

 

[WhiteSnake]

Clipper: (spoofs BTC, ETH, XMR, BCH, ZEC, DOGE, LTC, TRX, DASH, NEO, XLM, BNB, SOL, ALG wallets)

Report page​

Browser History render is disabled by default. (To speed up report load)

You can enable history render by toggling key in config (%LocalAppdata%\WhiteSnake\templates\lib\js\config.json)

Basic information tab​

Contains system info and desktop screenshot.

​

Automatic actions tab​

Contains scripts which panel can do to save your time.

Here is full list:
Find proxies - Will try to find free SOCKS5 proxies from victim country.
Ronin/Metamask - You can bruteforce this wallets and extract mnemonic phrase.

Steam - You can view victim's steam profile.

Telegram - Will open victim's telegram session. If it has local passcode - will ask for passwords list to bruteforce.

<Browser> / <Profile> - Will open browser with victim's cookies, spoofed User-Agents also you can use SOCKS5 proxy.

Updated automatic action with browser cloning. Now it works more faster and better with all data import from Chrome and FF based browsers (Also compatible with old reports)

FTP <Host> - Will connect to ftp server.

Discord - Will open browser and import discord token to access account.

Roblox account info automatic action.

Automatic action to view VK, Facebook, Twitch profiles.

Exodus Wallet bruteforce automatic action.

View victim's instagram automatic action.

View victim's github automatic action.

View victim's page on all Xenforo engine based forums (lolz.guru and etc)

View running processes and installed applications.

Automatic action to view wallet info from Ledger Live.

Automatic action to extract fullname from Diia.



process-list terminal command was added.

ls terminal command was added. (Better then using windows dir command, lol)

stream desktop/webcam (Compatible with old builds)

Signal chats decrypt/export automatic action.

 

[WhiteSnake]

​

Passwords tab​

This tab contains passwords from all browsers and several apps like filezilla hosts, pidgin and etc.
You can export unique passwords to generate bruteforce list.
Also you can search entries by domain name.

​

Credit Cards and AutoFill tabs (Description not needed.)​

​

Cookies tab​

Contains cookies from all detected browsers, you can export them into Netscape or Json format.

 

[WhiteSnake]

Grabber tab​

Contains stolen files. For example wallets, apps sessions and etc.

​

​

Remote Terminal tab​

Appears only if you have enabled "Resident" mode in builder.
If victim's PC is online - green dot will blink near "Remote terminal" caption.
You can execute system commands, download and run files, refresh report (run stealer again), do desktop screenshots, webcam screenshot download files from PC.

DPAPI decrypt remote terminal command

• 'transfer' (To upload file and get direct url; Will be faster then uploading using tor)
• 'compress' command to create ZIP archive from directory.
• 'decompress' command to extract ZIP.

Also, you can specify if need to download and run file or just download.

Log export/import​

In the telegram bot you will receive WSR files. These are encrypted logs, only your panel can open them.
You can export WSR as ZIP archive or JSON file.
Exported JSON log will load faster, also it can be shared with other WhiteSnake customers.
JSON report can be imported by "White Snake Report" desktop icon.
You can do bulk WSR to ZIP convertation using "White Snake ZIP" desktop icon.
Progress bar for log download using "Open" button from tg bot.

LNK exploit builder​

• Added PDF extension into LNK exploit builder. (Requires Adobe Reader installed to display icon.
• Yandex Browser recognition

IPLogger​

 

[WhiteSnake]

Geolocation tab​

Based on Wi-Fi points; Requires WLAN module on victim's pc to work; accuracy 30 meters

Geolocation map has light/dark layers depending on selected theme.

Some videos (Including old versions)​

 

[WhiteSnake]

 

[WhiteSnake]

Prices ​

200$ - 1 month

345$ - 3 months

590$ - 6 months

1100$ - 1 year

1950$ - lifetime

Payments only in crypto (BTC, ETH, USDT, LTC)

Contacts :​

Telegram: @WhiteSnake_Support

Jabber: [email protected]

Customer Reviews: https://t.me/+8DjyXCV1rjBkMDI6

Chat: https://t.me/+CWG1v59XG8w3ODYy

White Snake Referral Program ​

Promote our software and earn 25% from sales!

Each referred customer will receive a 5% discount

Write to @WhiteSnake_Support and get a recommended promotion post and personal referral promocode

 

[WhiteSnake]

White Snake update 1.6.1.2

• Added fake message box (windows only)
• Added qTox (https://qtox.github.io/) account containers recovery. (crossplatform)
• Added Monero GUI (https://www.getmonero.org/downloads/) and MyMonero (https://mymonero.com/) wallets recovery. (windows only)
• Added automatic action to bruteforce MyMonero (https://mymonero.com/) and Atomic (https://atomicwallet.io/) wallets.
• Fixed Coinomi (https://www.coinomi.com/en/) wallet recovery.
• Geolocation map was redesigned, now it shows the possible radius in meters based on the signal level, and the circles will have a color depending on the distance.
• Updated C2 list.

 

[WhiteSnake]

White Snake update 1.6.1.3

• Integrated Leakcheck API (You can search emails/usernames/passwords/phones)
• Added text file analyzer for seed phrases/emails/phones (Files tab in automatic actions).
• Added Guarda (https://guarda.com/) wallet bruteforce automatic action.
• Added Twitter/SocialClub account view automatic action.
• Added check updates button (builder » tools menu)
• Added export emails and usernames button.
• Redesigned automatic actions by categories.
• Redesigned some buttons.
• Session (https://getsession.org/) databases recovery.
• Added easter egg.
• Updated C2 list.

 

[WhiteSnake]

White Snake update 1.6.1.4

• Added automatic action to extract latest crypto exchanges (BoxExchanger based websites)
• Added new icons for system info tab.
• Geolocation map now shows IP-based geolocation.
• Changed stub encryption method.
• You can disable stub obfuscation in builder (Some crypters may need it)
• Cleaned WD detect. (Obfuscated stub only)
• Updated C2 list.

 

[WhiteSnake]

Discounts for International Shopping Day 11.11
200$ 180$ - 1 month
345$ 300$ - 3 months
590$ 500$ - 6 months
1100$ 800$ - 1 year
1950$ 1200$ - lifetime
The offer is valid until 11.11
Hurry up to buy!

Contacts :
@WhiteSnake_Support (24/7) - operator, purchase & questions

 

[WhiteSnake]

White Snake experimental update 1.6.1.6

• Trezor/Ledger hardware wallets phishing (requires custom C2 installation; and also updating server side files and build)

Tested with Trezor model T and Ledger nano X.

• Tronlink wallet bruteforce automatic action.
• Steam Desktop Authenticator .maFile grabber (application must be open to collect files.)
• Desktop screenshot captures all availabale screens now.
• Local and USB Spread features was removed(again) due high runtime detections.
• Cleaned win10 defender detect.
• Updated C2 list.