Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Stealer. Show all posts

SaphhireStealer: New Malware in Town, Possess More Capabilities


A new malware called ‘SapphireStealer’ has been observed by Cisco Talos researchers. The malware came to light in December 2022 in Cisco’s public release, where they witnessed it frequently in public malware repositories, stealing browser credential databases and files containing sensitive user information. 

Researchers observed a rise in sales (and offers for rent) of the new stealer on different underground forums and illicit marketplaces. 

Cisco Talos threat researcher Edmund Brumaghin is certain with his observation that SapphireStealer possesses numerous entities that are modifying its code base, in order to accommodate additional data exfiltration processes, leading to the formation of many variations.

According to Brumaghin, the freshly compiled versions of the malware began "being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023."

Researchers say that several malware versions are already in use by multiple threat actors, amplifying their efficiency and effectiveness in their operations over time. 

Capabilities of SapphireStealer

Apparently, the malware is designed to steal sensitive information from targeted systems. This information may include host information, screenshots, cached browser credentials and files stored on the system that match a predefined list of file extensions. Also, it is capable of determining the presence of credential databases for browser applications including Chrome, Yandex, Edge and Opera.

On execution, the malware creates a working directory and launches a file grabber that searches the victim's Desktop folder for files with the following file extensions: .txt, .pdf, .doc,.docx, .xml, .img, .jpg, and.png.

Subsequently, the malware compiles all of the logs into a compressed package called log.zip, which it then sends to the attacker over Simple Mail Transfer Protocol "using credentials defined in the portion of code responsible for crafting and sending the message." 

After the logs are successfully exfiltrated, the malware deletes the working directory it had previously created and stops running.

Moreover, the malware operators are said to have released a malware downloader – FUD-Loader – which uses HTTP/HTTPS communications to retrieve more executables from infrastructure under the control of the attacker. It then saves the retrieved content to disk and executes it to continue the infection process.

"In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor," the researchers said.

"One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time," the researchers added.

The researchers further explained how stealers make it possible for attackers with less operational skill to launch an attack, which may be quite harmful to corporate environments because the data obtained is frequently used for more attacks that are followed.  

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.