SapphireStealer is an open-source information stealer that has gained traction since its public release in December 2022, with multiple threat actors expanding and modifying the code to exfiltrate data from infected systems. It is delivered in multi-stage campaigns using open-source downloaders like FUD-Loader and can exfiltrate via Discord webhooks or Telegram, targeting browser credential stores, host information, and selected file types. #SapphireStealer #FUD-Loader #DcRat #njRAT #DarkComet #AgentTesla #romanmaslov200
Keypoints
- SapphireStealer is an open-source .NET information stealer observed across public malware repositories since December 2022.
- It steals browser credential databases, host information, screenshots, and files with specific extensions from infected systems.
- Threat actors have created multiple variants and expanded exfiltration mechanisms, with some campaigns delivering SapphireStealer via the FUD-Loader downloader.
- Data is exfiltrated by SMTP and, in some cases, via Discord webhook or Telegram APIs to alert attackers.
- Insertion of new functionality and streamlined operations have been observed as multiple actors independently develop the codebase.
- Indicators include hardcoded browser paths, specific PDB paths, and logs like Passwords.txt and log.zip, tied to several actor personas and hosting activity.
MITRE Techniques
- [T1105] Ingress Tool Transfer – threat actors leverage open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims. ‘threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.’
- [T1083] File and Directory Discovery – the malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%. ‘The malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%.’
- [T1113] Screen Capture – it captures a screenshot and stores it as Screenshot.png. ‘The malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.’
- [T1555.003] Credentials from Web Browsers – it dumps credential databases and stores them in Passwords.txt. ‘The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.’
- [T1560] Archive Collected Data – the malware creates log.zip containing logs. ‘Once the file grabber has completed execution, the malware then creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.’
- [T1041] Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol – data is transmitted via SMTP; in some cases, exfil via Discord webhook API and Telegram. ‘This data is then transmitted to the attacker via Simple Mail Transfer Protocol (SMTP) using credentials defined in the portion of code responsible for crafting and sending the message.’ ‘In one case, we observed a SapphireStealer sample where the data collected… was exfiltrated using the Discord webhook API.’
Indicators of Compromise
- [File] Passwords.txt – credential data dumped from browser stores. ‘The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.’
- [File] Screenshot.png – system screenshot captured during infection. ‘The malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.’
- [File] log.zip – archive of logs created for exfiltration. ‘…creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.’
- [File] C:UsersromanOneDriveРабочий столstralernet452new_game.pdb – PDB path observed in sample. ‘C:UsersromanOneDriveРабочий столstralernet452new_game.pdb’
- [File] D:C# proectSapphireobjDebugSapphire.pdb – another PDB path with typographical error observed. ‘D:C# proectSapphireobjDebugSapphire.pdb’
- [URL] Discord webhook URL – exfiltration channel. ‘Discord webhook URL (SendLog.url) was: hxxps[:]//discord[.]com/api/webhooks/1123664977618817094/La_3GaXooH42oGRiy8o7sazh1Cg0V_mzkH67VryfSB1MCOlYee1_JPMCNsfOTji7J9jO’
- [Account] romanmaslov200 – actor alias linked to hosting and profiling activities. ‘Looking for additional accounts that featured the handle/alias “romanmaslov200” led us to a variety of personal accounts… The user profile also lists the domain observed hosting SapphireStealer samples’
Read more: https://blog.talosintelligence.com/sapphirestealer-goes-open-source/