Threat Research

AsukaStealer, A Revamped Version Of The ObserverStealer, Advertised As Malware-as-a-Service – Cyble

Securonix

Keypoints

  • AsukaStealer is advertised as MaaS on a Russian-language cybercrime forum, with v0.9.7 available for USD 80 per month (first advertised Jan 24, 2024; later observed Feb 2, 2024).
  • The malware is written in C++ with a web-based control panel and is designed to exfiltrate data from browsers, Discord, FileZilla, Telegram, crypto wallets, and Steam-related maFiles, plus desktop screenshots.
  • Researchers consider AsukaStealer a revamped version of ObserverStealer, possibly operated by the same threat actors, sharing C2 infrastructure.
  • Key features include a configurable threat surface (browsers, extensions, wallets), proxies, Telegram log delivery, and a Loader for post-collection data transfer.
  • The AsukaStealer C2 panel is hosted at 5.42.66.25, with related domains simplyavailable.com and freemsk.org and open ports 80 and 3000.
  • IoCs include several files and hashes observed in VirusTotal submissions linked to the IP 5.42.66.25, and multiple sample filenames such as VL_SkinChanger.exe and Setup.exe.
  • The report notes phishing as a potential delivery method and highlights continued MaaS proliferation of information-stealing malware in underground forums.

MITRE Techniques

  • [T1555.003] Credentials from Web Browsers – The stealer collects browser data (Cookies, Passwords, AccountsSync, Extensions) from Chromium and Gecko; “Collects browser data (Cookies, Passwords, AccountsSync, Extensions) on Chromium (Edge, Google, OperaGX) and Gecko (Firefox, Waterfox) engines.”
  • [T1056] Input Capture – The malware captures tokens and sessions from apps such as Discord; “Collects Discord tokens.”
  • [T1018] Remote System Discovery – Discovery of remote system information as part of the operation; “Remote System Discovery.”
  • [T1083] File and Directory Discovery – The malware enumerates local files/directories during data collection; “File and Directory Discovery.”
  • [T1082] System Information Discovery – It gathers system information as part of the data collection process; “System Information Discovery.”
  • [T1005] Data from Local System – Exfiltrates data from the host system as part of its collection phase; “Data from Local System.”
  • [T1119] Automated Collection – The framework supports automated collection and transfer of logs; “Automated Collection.”

Indicators of Compromise

  • [URL] C2 panel and login endpoints – http://5.42.66.25/, http://www.simplyavailable.com
  • [IP] Malicious host used for C2 – 5.42.66.25
  • [Domain] Domains hosting AsukaStealer components – simplyavailable.com, freemsk.org
  • [FileName] sample files associated with the campaign – VL_SkinChanger.exe, Setup.exe, brave_exe, Launcher-AI.exe, 9ac629ed8e07b6c99b05edd46b86e1795e5f96908ab1fe85a06282b0a982cd1b.exe (and 2 more hashes)

Read more: https://cyble.com/blog/asukastealer-a-revamped-version-of-the-observerstealer-advertised-as-malware-as-a-service/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint