A Gateway to Espionage and Ransomware Operations

04-09-2023
Share
A Gateway to Espionage and Ransomware Operations

An open-source .NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants.

An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks.

Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other malicious cyber activities.

SapphireStealer is a lot like other stealer malware that have increasingly cropped up on the dark web, equipped with features to gather host information, browser data, files, screenshots, and exfiltrate the data in the form of a ZIP file via Simple Mail Transfer Protocol (SMTP).

The malware author has also made public a .NET malware downloader, codenamed FUD-Loader, which makes it possible to retrieve additional binary payloads from attacker-controlled distribution servers.

Talos said it detected the malware downloader being used in the wild to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.

It’s offered for sale for $50 a month (no lifetime license) on several dark web forums and a Telegram channel.

“The threat actors responsible for Agniane Stealer utilize packers to maintain and regularly update the malware’s functionality and evasions features,” security researcher Mallikarjun Piddannavar said.

 

Source: https://thehackernews.com/