Stealit Malware Spreads Through VPN and Gaming Apps
▼ Summary
– Fortinet discovered a new Stealit malware campaign distributed through fake game and VPN installers on file-sharing sites.
– The malware uses heavy obfuscation and anti-analysis techniques to avoid detection and complicates analysis.
– Stealit steals data from browsers, gaming platforms, messaging apps, and cryptocurrency wallets once installed.
– The campaign initially used Node.js Single Executable Apps for delivery but later switched to the Electron framework with encrypted scripts.
– The threat actor relocated their command-and-control panel to new domains after the original became inaccessible.
A new and sophisticated malware campaign is actively spreading the Stealit information stealer by hiding it inside fake VPN and gaming application installers. Cybersecurity researchers at Fortinet’s FortiGuard Labs identified the operation after noticing a significant increase in detections for a specific Visual Basic script. The attackers are uploading these malicious packages, which are bundled using PyInstaller and placed inside common compressed archives, to popular file-sharing platforms like Mediafire and Discord to lure their victims.
To avoid discovery and make analysis difficult, the threat actors use heavy obfuscation and multiple anti-analysis techniques. Once a user executes the fake installer, the Stealit malware activates, enabling the attacker to harvest sensitive data from a wide array of sources. It targets information from major web browsers such as Google Chrome and Microsoft Edge. The malware also focuses on stealing data from gaming platforms like Steam, Minecraft, and the Epic Games Launcher, along with popular messaging applications including WhatsApp and Telegram. Furthermore, it can compromise cryptocurrency wallets such as Atomic and Exodus, including those installed as browser extensions.
A notable aspect of this campaign involves its evolving delivery methods. Initially, the attackers utilized the Node.js Single Executable Apps (SEA) feature, an experimental tool for creating standalone executables. This method allowed them to bundle and distribute their malicious scripts on computers that do not have Node.js installed, resulting in noticeably larger file sizes. By embedding their harmful code within the executable’s NODESEABLOB resource, stored as RCDATA, they concealed their activities. The file paths within these resources often contained clear references to ‘StealIt’ and ‘angablue,’ pointing to the use of the open-source AngaBlue tool for automating the creation of these malicious Node.js SEA packages. Security analysts believe the attackers may have been exploiting the novelty of this feature to surprise and bypass security defenses.
However, researchers observed that after several weeks, the campaign shifted tactics. The threat actors abandoned the Node.js SEA approach and returned to using the Electron framework. In this later stage, they began encrypting the bundled Node.js scripts using AES-256-GCM encryption, adding another layer of protection for their payload.
In addition to changing their delivery techniques, the group behind this Stealit campaign has also relocated their operational infrastructure. They moved their command-and-control (C2) panel to new domains. The panel was initially hosted at stealituptaded[.]lol but was quickly transferred to iloveanimals[.]shop after the original domain became unreachable.
(Source: InfoSecurity Magazine)