3rd Party Risk Management , Application Security , Governance & Risk Management
Hackers Adding More Capabilities to Open-Source Malware
SapphireStealer Enables Hackers to Steal Sensitive Corporate CredentialsMultiple hackers are minting newer capabilities from an open-source information stealer to spawn new variants.
See Also: Mobile Apps are the New Endpoint
The malware steals sensitive information such as corporate credentials, which are then resold to other threat actors for further attacks, including operations related to espionage or ransomware.
The malware dubbed SapphireStealer by Cisco Talos researchers has been observed across public malware repositories with increasing frequency since its initial public release in December 2022 and facilitates the theft of browser credential databases and files that may contain sensitive user information.
Researchers said that they observed an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces.
Edmund Brumaghin, threat researcher at Cisco Talos, assessed with moderate confidence that multiple entities are modifying the code base of SapphireStealer to support additional data exfiltration mechanisms leading to the creation of several variants.
The newly compiled versions of the malware began "being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023," Brumaghin said.
Researchers observed that the malware samples are currently being used by multiple threat actors and various variants of this threat are already in the wild. Threat actors are improving its efficiency and effectiveness over time.
The malware is capable of stealing sensitive information from infected systems including host information, screenshots, cached browser credentials and files stored on the system that match a predefined list of file extensions. It also attempts to determine the presence of credential databases for browser applications including Chrome, Yandex, Edge and Opera.
Once executed, the malware creates a working directory, and a file grabber executes and attempts to locate any files stored within the victim's Desktop folder that match a list of file extensions including .txt
, .pdf
, .doc
, .docx
, .xm
l, .img
, .jpg
and .png
.
The malware then creates a compressed archive called log.zip
containing all of the logs, and the data is transmitted to the attacker via Simple Mail Transfer Protocol "using credentials defined in the portion of code responsible for crafting and sending the message."
When the logs are successfully exfiltrated, the malware deletes the working directory created earlier and terminates execution.
The operators behind SapphireStealer also released a malware downloader called FUD-Loader, which leverages HTTP/HTTPS communications to retrieve additional executables from attacker-controlled infrastructure, saving the retrieved content to disk and executing it to continue the infection process.
"In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor," the researchers said.
The downloader is also being used to deliver various other threats such as DcRat, njRAT, DarkComet and AgentTesla.
"One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time," the researchers said.
Stealers enable attackers with less operational expertise to conduct an attack, which can be extremely damaging to corporate environments as the data stolen is often leveraged for additional attacks later, they said.