The article discusses SapphireStealer, an open-source information stealer that’s been gaining traction in public malware repositories and underground forums, and how attackers are leveraging open-source tooling to customize and evade detection. It also notes defender benefits from open-source research and highlights related trends in 2023, including a focus on ransomware evolution, commercial spyware, and supply chain risks. #SapphireStealer #Qakbot
Keypoints
- SapphireStealer is an open-source information stealer designed to extract browser credential databases and other sensitive files.
- Attackers are increasingly using freely available open-source tooling and adding anti-detection features to customize infections.
- The rise of new stealers for sale or rent on underground forums signals heightened threat activity and monetization.
-
MITRE Techniques
- [T1555.003] Credentials from Web Browsers – SapphireStealer is designed to facilitate the theft of browser credential databases and files containing sensitive user information. Quote: “SapphireStealer, an open-source information stealer, has been increasingly observed… designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information.”
- [T1027] Obfuscated/Compressed Files and Information – Threat actors extended SapphireStealer to support added functionality and used other tooling to make the detection of SapphireStealer infections more difficult.
Indicators of Compromise
- [SHA-256] – a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91, and 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
- [MD5] – 7bdbd180c081fa63ca94f9c22c457376, and 2915b3f8b703eb744fc54c81f4a9c67f
- [File name] – c0dwjdi6a.dll, VID001.exe
- [Detection Name] – Trojan.GenericKD.33515991, Win.Worm.Coinminer::1201
- [VirusTotal URL] – https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details, https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Read more: https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/