The cyber threat landscape has been recently shaken by the emergence of SapphireStealer, an open-source .NET-based information-stealing malware. This insidious malware is becoming a tool of choice for various malicious entities looking to bolster their capabilities and create customized versions to suit their nefarious purposes.
This type of malware specializes in pilfering sensitive information, including corporate credentials.
This stolen data often finds its way into the hands of other threat actors who leverage it for a range of malicious activities, including espionage and extortion-based ransomware attacks.
Over time, an entire ecosystem has evolved, facilitating both financially motivated cybercriminals and nation-state actors in harnessing the services offered by providers of stealer malware. These services enable a wide array of cyberattacks, such as data theft, ransomware distribution, and other malicious operations.
SapphireStealer, while similar to other information-stealing malware found on the dark web, is notable for its ability to gather host information, browser data, files, and screenshots. It then exfiltrates this data in the form of a ZIP file via the Simple Mail Transfer Protocol (SMTP).
What makes it even more challenging to detect is that its source code was made publicly available in late December 2022, granting miscreants the ability to experiment with the malware and enhance its evasiveness. This includes adding flexible data exfiltration methods via Discord webhooks or the Telegram API.
Multiple variants of SapphireStealer are already active in the wild, with threat actors continuously refining its efficiency and effectiveness.
The malware’s author has also released a .NET malware downloader known as FUD-Loader. This downloader enables the retrieval of additional binary payloads from attacker-controlled distribution servers.
This malware downloader being used in the wild to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.
This revelation comes shortly after Zscaler disclosed details about another information-stealing malware named Agniane Stealer. Agniane Stealer is capable of harvesting credentials, system information, session details from browsers, as well as data from popular communication platforms like Telegram and Discord.
It can also compromise data from over 70 cryptocurrency extensions and 10 wallets. This malware is available for sale at $50 per month on various dark web forums and a Telegram channel.
A security researcher, pointed out that the threat actors behind Agniane Stealer employ packers to maintain and regularly update the malware’s functionality and evasion features.
In summary, SapphireStealer and similar information-stealing malware not only represent an evolution of the cybercrime-as-a-service model but also provide other threat actors with the means to monetize stolen data for a variety of malicious activities, including ransomware attacks and data theft.
These developments underscore the ongoing need for robust cybersecurity measures and continuous vigilance in the face of evolving cyber threats.