Trojan Wacatac is a broad detection name for many malicious programs that share similar code and functionality. Often, the Wacatac label is used for malware with dropper capabilities, which can be used to deliver ransomware.
In this article, I’ll look at both Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml. At first glance, they might seem similar, but they are actually two different types of infections. Let’s get started!
Trojan Wacatac Detection
Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml are just two of the many names Microsoft uses for small malware families. These threats often end up with the Wacatac label because they share the same code and functionality. Over time, “Wacatac” has become a catch-all term for similar malware.
When it comes to what they do, Wacatac is usually spyware or stealer malware. Some variants exfiltrate stolen data through Discord, Telegram, or Mastodon. To see how Wacatac operates, let’s analyze an example flagged by this name.
Trojan Wacatac Analysis
For a real-world example, I chose a Trojan called Trap Stealer. Microsoft detects it as Trojan:Script/Wacatac.B!ml (see the VirusTotal report). This Python-based malware is open-source, and its source code is available on GitHub. It offers extensive features, including a built-in disguise mode. Let’s take a closer look at how it works.
On the GitHub repository that contains the source code of the malware, its devs show most of the functionality. It corresponds to the abilities of a classic stealer: malware gathers info from WhatsApp, steals cookies, and contents of the clipboard and AutoFill, scrapes passwords, and can capture screenshots. On top of that, Trap Stealers boast of the ability to mischief the host system.
Detection Evasion Methods
I’d pay additional attention to how this malware disguises itself. As I said, the builder offers not only to specify a Discord Webhook as a relay server but also to establish a “shell” that will make the user launch the malware deliberately. Currently, there are two options for this shell – a fake Discord Webhook creation tool and a pseudo-Discord Nitro generator. Malware masters may choose one during the building, or choose none at all.
Though, these methods are called to evade user suspicion. Against anti-malware software, especially malware analysis environments, malware has several dedicated tricks up its sleeve.
Upon execution, this malware performs a row of checks that ensure that the system is not running a debug environment, resides away from the banned countries, and is not a virtual machine. If one of the checks returns an unacceptable result, any further execution will be terminated.
Checks | Purpose |
---|---|
check_dll | Scans the list of running DLLs, searching for ones related to virtualization software |
check_IP | Compares the system IP to the embedded blacklist of countries |
check_registry | Scans the Windows Registry for specific entries related to VMWare programs |
check_windows | Enumerates open windows and checks whether any of them are related to reverse engineering/debugging tools. |
Establishing Persistence
After completing its initial checks, Wacatac persists in the targeted environment. It creates a randomly named copy in a random folder within the user’s AppData or LocalAppData directory. Next, it adds a value to the system registry’s Run entry, ensuring the malware starts automatically whenever the system boots.
These steps may be accompanied by more, if additional actions were specified in the process of sample building. For instance, malware can hook up to the Discord startup, or establish persistence using the user startup folder instead of the registry key.
Trojan:Script/Wacatac.B!ml Data Gathering
The Trojan:Script/Wacatac.B!ml proceeds to its normal activity after establishing persistence. The first thing to do is to collect all the data about the system – it gathers quite a big list of it. Interestingly enough, the malware sends the log with this info to the command server almost instantly. This contrasts with the typical fashion of doing things, when the Lumma Stealer will get everything it can reach and only then send it to the C2.
System Info | Malware Instance Info | Software & Hardware Info |
---|---|---|
Username | Node Name | OS Name |
IP Address | Release | System Activation Key |
Country | Version | PC Name |
Postal code | Machine | CPU Model |
Region | Home Directory | GPU Model |
City | Installed Antivirus | |
Longitude/Latitude |
This large amount of system data is then combined with stolen passwords and cookies. For stealing passwords, Wacatac mainly targets web browser files, searching for specific files that store login details. It also collects all cookies it can find. All this data is saved in the AppData\Local\Temp directory, in files whose names start with “wp.”
This particular Wacatac variant also targets browsing history. Because browsers usually handle browsing data in similar ways, the malware is able to collect information from multiple browsers, including:
- Safari
- Firefox
- Chrome
- Opera
- Edge
- Opera GX
- Internet Explorer
Stealing Discord Tokens
The Trojan:Script/Wacatac.B!ml sample we’re analyzing pays special attention to Discord. This focus isn’t unusual for stealers, and the method used to grab session tokens is more or less the same across different malware families. Let’s see how it works.
To obtain Discord tokens from web browsers, Wacatac looks for leveldb files (.ldb). These database files are used by Chromium-based browsers to store authentication tokens and keys. Because many popular browsers are built on the Chromium core, the malware aims to target as many of them as possible.
For clarity, it’s important to note that non-Chromium browsers aren’t immune to these attacks. By issuing specific database queries, the malware can easily grab the information it needs, or even dump everything at once. The fact that some browsers store data differently only means writing a few extra lines of code in the malware.
Besides searching through browser files, the malware also attempts to extract the same Discord session tokens from Discord’s own installation folders. Because there are different versions of the Discord client, the malware checks for each one by scanning the AppData\Roaming folder.
Stealing Crypto Wallet & Gaming App Data
Trojan:Script/Wacatac.B!ml also commonly targets crypto wallets—whether they’re installed as extensions, desktop apps, or integrated into gaming platforms. In particular, it focuses on Metamask, Atomic, Exodus, and NationsGlory wallets. Still, reconfiguring it to steal from additional wallets is easy, so more could be targeted in the future. All the collected data is compressed into a .zip file and sent to the Command Server.
For gaming apps, the malware specifically looks at Steam and the Riot Client. It scans the AppData\Local directory for their folders, then creates a zipped copy of those folders.
Exfiltration and C&C Connections
Once Trojan:Script/Wacatac.B!ml finishes extracting data, it remains idle, waiting for new items to steal. Every time your system restarts, it scans again for anything new. However, the criminal controlling the malware can instruct it to self-destruct or even force a system crash once the data collection is done. These actions help the attacker hide any signs of malware activity.
Protecting Against Trojan:Script/Wacatac.B!ml
Stealer malware like Trojan:Script/Wacatac.B!ml is usually easy for robust antivirus software to detect. Antivirus tools with heuristic detection and AI can promptly identify and remove this threat. GridinSoft Anti-Malware is a solid choice: it can eliminate the malware and keep your system protected over the long term.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.