JAVA-based Sophisticated Stealer Using Discord Bot as EventListener

MITRE Techniques

• [T1059] Command and Scripting Interpreter – The LNK file targets a JAR via cmd.exe to execute the payload. Quote: ‘one of the JAR files has been targeted by the LNK file with cmd.exe’
• [T1113] Screen Capture – The malware captures a screenshot using GraphicsEnvironment.getLocalGraphicsEnvironment. Quote: ‘The first thing the threat looks for is the screenshot of the active window using the API – “GraphicsEnvironment.getLocalGraphicsEnvironment”’
• [T1555.003] Credentials from Web Browsers – Cookies and Autofill data are harvested; decrypted_value is obtained via Crypt32Util.cryptUnprotectData. Quote: ‘decrypting the encrypted_value using “Crypt32Util.cryptUnprotectData” API’ and ‘The details crawled from Autofill include “name, value, count”’
• [T1012] Query Registry – Telegram and Steam sessions are discovered via registry and file paths. Quote: ‘Telegram sessions are crawled if “%appdata%Telegram DesktopTelegram.exe” exists in the system. Steam sessions will be searched only if the registry path “HKCUSOFTWAREValveSteam” exists.’
• [T1082] System Information Discovery – OS name/arch, IP, time zone, monitor size, language, and location are collected. Quote: ‘OS Name & Arch … IP Address … System Time zone … Monitor’s screen size … System’s language and located country’
• [T1560] Archive Collected Data – Data is staged in NS- and zipped to NS-.zip. Quote: ‘the folder is zipped with the name of “%LOCALAPPDATA%NS-.zip”’
• [T1041] Exfiltration Over C2 Channel – The zip containing all data is sent to the Discord bot channel ID 1135690821988012052. Quote: ‘send the zip file containing all the collected data to the Discord bot channel – ID “1135690821988012052” …’
• [T1070.004] File Deletion – The exfiltration folder is deleted after zipping. Quote: ‘the folder is deleted from the location.’