Malicious actors are executing a new harmful initiative, deploying the Stealit malware through disguised applications, as stated by Fortinet.
The cybersecurity firm's threat research division, FortiGuard Labs, revealed this fresh information-stealing campaign after observing a rise in detections of a specific Visual Basic script, as elaborated in a recent report.
Initial access for the campaign is obtained through counterfeit game and VPN installers packaged in PyInstaller and common compressed archives, which are uploaded to file-sharing platforms such as Mediafire and Discord.
The threat actor utilizes extensive obfuscation and various anti-analysis strategies to avoid detection and hinder analysis efforts.
Once installed, the Stealit infostealer enables the threat actor to retrieve information from different browsers, such as Google Chrome and Microsoft Edge. It can also extract data from multiple applications, including gaming-related software and marketplaces (Steam, Minecraft, GrowTopic, and Epic Games Launcher), instant messaging platforms (WhatsApp and Telegram), and cryptocurrency wallets (Atomic, Exodus, and those integrated as browser extensions).
Innovative Stealit Delivery Methods
Utilizing Node. js Single Executable Applications
While previous iterations of Stealit malware utilized Electron to package scripts into installers, the new campaign initially employed the Node. js Single Executable Applications (SEA) feature to disseminate malicious scripts to systems lacking Node. js.
Node. js SEA is an experimental feature designed to package Node. js applications, their dependencies, and assets into a standalone executable, permitting execution on systems without Node. js installed. This method typically results in considerably larger file sizes.
The threat actor behind this campaign has capitalized on this capability by embedding harmful scripts within the executable’s NODE_SEA_BLOB resource, stored as RCDATA.
This resource contains not only the script but also its original file path, which frequently discloses significant details.
In the analyzed samples, the path includes allusions to ‘StealIt’ and ‘angablue,’ indicating the utilization of AngaBlue, an open-source tool that automates the creation of Node. js SEA executables, in conjunction with the Stealit infostealer.
“The perpetrators may be exploiting the novelty of this feature, leveraging the element of surprise, and seeking to catch security applications and malware analysts unprepared,” the researchers from FortiGuard Labs proposed.
However, the researchers noted that, weeks into the new campaign, the threat actor reverted to the Electron framework, this time encrypting bundled Node. js scripts using AES-256-GCM.
Relocation of Stealit C2 Panel
In addition to the change in malware delivery method, the threat actor associated with this latest Stealit campaign has also transferred its command-and-control (C2) panel to new domains.
Initially located at stealituptaded[. ]lol, the panel was promptly shifted to iloveanimals[. ]shop after the original domain became inaccessible.
The site operates as a commercial entity, marketing Stealit as a "professional data extraction solution" with subscription-based access, as noted by the researchers at FortiGuard Labs.
The panel promotes capabilities akin to a remote access Trojan (RAT), including file theft, webcam control, live screen monitoring, and ransomware deployment, targeting both Windows and Android platforms.
Instructional videos showcase its functionalities, while pricing structures offer lifetime subscriptions priced around $500 for Windows and $2000 for Android.
The threat actor also manages a Telegram channel (StealitPublic) for updates and promotions, with @deceptacle serving as the main contact point for prospective clients.
0 Comments