Cyble researchers describe Exela Stealer, a Python-based open-source data-stealing tool targeting social platforms and Chromium-based browsers, with multiple anti-analysis features. The malware exfiltrates credentials, tokens, and session data via Discord webhooks, and includes a builder that can customize its capabilities and persistence. Hashtags: #ExelaStealer #Discord #DiscordWebhook #GitHub #Chromium #Chrome #Edge #Brave #Firefox #Telegram #Instagram #Twitter #TikTok #Reddit #Steam #Roblox
Keypoints
- Exela Stealer is a Python-based open-source stealer designed to covertly extract sensitive data from infected systems.
- It targets Discord users by injecting into the Discord client to harvest login credentials, personal data, and financial information.
- Exela also collects data from multiple Chromium-based browsers (Chrome, Edge, Brave, Opera, etc.) including passwords, cookies, and history.
- The malware can steal session data from social/media platforms (Instagram, Twitter, TikTok, Reddit, Steam, Roblox) via platform APIs and send results via Discord embeds to a attacker-controlled webhook.
- The Exela builder includes anti-VM/anti-debug, obfuscation, startup persistence, and digital-signing attempts to appear legitimate, with several evasion checks and a Discord webhook exfiltration path.
- Open-source nature and Discord-based exfiltration highlight evolving attacker use of legitimate platforms and accessible tooling for data theft.
MITRE Techniques
- [T1566] Phishing – This malware could reach users via phishing sites. ‘This malware could reach users via phishing sites.’
- [T1204] User Execution – The user needs to manually execute the malicious file downloaded from the phishing site. ‘The user needs to manually execute the malicious file downloaded from the phishing site.’
- [T1059] Command and Scripting Interpreter – cmd.exe is used to collect system information. ‘cmd.exe is used to collect system information.’
- [T1059.001] PowerShell – PowerShell commands are used to compile C# code. ‘PowerShell commands are used to compile C# code.’
- [T1047] Windows Management Instrumentation – WMIC command used to get system information. ‘WMIC command used to get system information.’
- [T1547.001] Registry Run Keys / Startup Folder – The malware adds run entry/Startup for persistence. ‘The malware adds run entry/Startup for persistence.’
- [T1497] Virtualization/Sandbox Evasion – Anti-VM/Anti-Debug technique for evasion. ‘Anti-VM/Anti-Debug technique for evasion.’
- [T1562.001] Disable or Modify Tools – The malware scans for VM and Debugger-related processes and terminates them. ‘The malware scans for VM and Debugger-related processes and terminates them.’
- [T1056.001] Input Capture – The malware possesses the capability to engage in keylogging activities. ‘The malware possesses the capability to engage in keylogging activities.’
- [T1057] Process Discovery – The malware captures all the running process. ‘The malware captures all the running process.’
- [T1082] System Information Discovery – The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC. ‘The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC.’
- [T1518.001] Security Software Discovery – The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate. ‘The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate.’
- [T1005] Data from Local System – The malware collects sensitive data from victim’s system. ‘The malware collects sensitive data from victim’s system.’
Indicators of Compromise
- [SHA256] Exela artifacts – b9bc445af6729a95599f1a39e37f559f3ca18dbbc8ae4e60263af565ef4f4db3, 882484b56ad4418786852f401b1b81f31030bec8566b6b07c9798d4ea3033516, and 6 more hashes
- [File name] Exela-V2.0-main.rar – b9bc445af6729a95599f1a39e37f559f3ca18dbbc8ae4e60263af565ef4f4db3
Read more: https://cyble.com/blog/exela-stealer-spotted-targeting-social-media-giants/