Trap Stealer is an open-source Python-based stealer that claims to pilfer a wide range of data from compromised systems in just 6 seconds, with exfiltration to threat actors via Discord webhooks. It leverages deceptive methods like fake gift-card generators and webhook spamming to lure victims and includes multiple modules for persistence, anti-debugging, and data theft. #TrapStealer #DiscordWebhook #GitHub #WhatsAppDesktop #DiscordTokens #CryptoWallets #BrowserData
Keypoints
- The article analyzes a newly identified open-source stealer called “Trap Stealer,” a Python-based tool publicly shared on GitHub and discovered via VirusTotal.
- The developer claims it can extract a broad set of data from a compromised system within 6 seconds.
- Trap Stealer uses deceptive distribution methods (gift card generators, webhook spam, and fake webhook deletion) to entice downloads.
- It can harvest browser data, Discord tokens, WhatsApp desktop files, crypto wallet data, clipboard contents, system information, and more, then send the data to threat actors via Discord webhooks.
- It includes a crasher module to trigger a deliberate system crash after exfiltration and a persistence mechanism via Run keys in the Windows registry.
- The tool features an Injection module for Discord account monitoring, a Discord data retrieval workflow, and optional self-deletion after theft.
MITRE Techniques
- [T1204] User Execution – The stealer is built/triggered by running the Python script builder.py in the Trap Stealer setup folder. “The process of building this stealer is triggered when the Python script file ‘builder.py’ is executed within the Trap Stealer setup folder.”
- [T1547.001] Registry Run Keys / Startup Folder – It adds a Run entry in the Windows Registry to achieve persistence: “the Run entry in the Windows Registry”
- [T1497] Virtualization/Sandbox Evasion – The project includes anti-debug/anti-VM checks to terminate if analysis tools are detected: “anti-debug checks”
- [T1112] Deobfuscate/Decode Files or Information – The builder/compile stage is described as obfuscated: “builder obfuscates the compiled stealer file.”
- [T1107] File Deletion – The stealer self-deletes after completing data theft: “Self-deletes itself after stealing activity completed.”
- [T1003] OS Credential Dumping – The stealer attempts to harvest and steal browser information and related credentials: “OS Credential Dumping” and related tabs in the MITRE mapping.
- [T1528] Steal Application Access Token – The stealer targets Discord tokens and application tokens: “Steal Application Access Token.”
- [T1555] Credentials from Web Browsers – It steals credentials stored by web browsers: “Credentials from Web Browsers.”
- [T1082] System Information Discovery – It gathers diverse system/global information: “gathers a diverse range of information, including details about the system information.”
- [T1115] Clipboard Data – The stealer captures clipboard contents: “Clipboard Data.”
- [T1005] Data from Local System – It collects data from the local system (files, etc.): “Data from the Local System.”
- [T1567] Exfiltration Over Web Service – It exfiltrates data via Discord webhooks: “uses discord webhook to exfiltrate data.”
Indicators of Compromise
- [Hash] Trap Stealer – ba070e0328f5e093f35210904d53d4aa54339fdc1a11a1c3f68adee3ca0ff125, d589723c86d2ddefe3119c506e83814739cfa54f, a4bbf468fa1b3a7b7d29d65595704544
- [Hash] Trap Stealer – 31a274dfdbe93b117a5f62574bae009ad9bf6f4a66d5845b75e479547a608c6c, bcfbc009367231fd99ef0362a1e572aede015074, c4c27b95f86f87ebb58d2f2ae00e5ed9
- [Hash] Trap Stealer – 883e4d2893f3131e9b97e45e1b10acb8be70f3d2751cf3e9e75d24aced473a58, ffe2bd374a8bb3f22a77798c3cb5d905e7aa6bf2, 736a8934c94e268bdd91d53a7f746fdf
- [Hash] Trap Stealer – 3501ea51bad76648ee577cfbb0cac51d3672a292775396ee6c50605cd2937afe, 4e20ed2ab2a713ede6e184476838a145dc28621c, ab3dee7f0f03e7c7262756ab816ad4b7
Read more: https://cyble.com/blog/new-open-source-trap-stealer-pilfers-data-in-just-6-seconds/