Source: heimdalsecurity.com – Author: Cristian Neagu
A new malware is gaining traction in the cyber world. Dubbed SapphireStealer, this open-source .NET-based information-stealing malware has been observed to be used by threat groups, with some of them even creating their own customized variations.
As reported by TheHackerNews, the malware can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage access for additional attacks, including operations related to cyberespionage or ransomware.
Over time, a whole ecosystem has emerged that enables nation-state actors and actors with financial motives to leverage services provided by distributors of stealth malware to conduct various types of attacks.
When seen in this context, such malware not only shows the development of the cybercrime-as-a-service (CaaS) model, but it also provides other threat actors with a way to profit from the stolen data in order to spread ransomware, commit data theft, and engage in other criminal cyber activities.
The Capabilities and Usage of SapphireStealer
Similar to other stealer malware that has been appearing more frequently on the dark web, SapphireStealer has the ability to collect host information, browser data, files, screenshots, and exfiltrate the information in a ZIP file using the Simple Mail Transfer Protocol (SMTP).
However, since its source code was made available for free in late December 2022, threat actors have been able to play with the malware and make it more difficult to spot. This includes the addition of adaptable data exfiltration techniques via the Telegram API or a webhook for Discord.
The creator of the malware has also made available a .NET malware downloader with the codename FUD-Loader, which enables the retrieval of additional binary payloads from distribution servers under the control of the attacker.
Cybersecurity researchers have observed the malware downloader being used in the wild to deliver remote administration tools like DCRat, njRAT, Agent Tesla, and Dark Comet. The malware is currently being offered for sale for $50 a month (no lifetime license) on several dark web forums and a Telegram channel.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.
Original Post URL: https://heimdalsecurity.com/blog/sapphirestealer-malware/
Category & Tags: Cybersecurity News – Cybersecurity News
