Beware of Celestial Stealer: New MaaS Targets Browsers and Crypto Wallets

### #MaaSThreats #InfostealerInsights #MalwareDistribution

Summary: A recent report reveals the sophisticated operations of Celestial Stealer, a Malware-as-a-Service platform that targets developers, gamers, and cryptocurrency users by disguising itself as legitimate applications. This JavaScript-based infostealer employs advanced techniques to extract sensitive data while evading detection.

Threat Actor: Celestial Stealer Operators | Celestial Stealer Operators
Victim: Developers, Gamers, Cryptocurrency Users | Developers, Gamers, Cryptocurrency Users

Key Point :

  • Celestial Stealer is marketed on Telegram with subscription plans and targets Windows 10 and 11 users.
  • It employs anti-analysis techniques and claims to be “Fully Undetectable” (FUD) through VirusTotal submissions.
  • Infection chains include malicious tools disguised as Discord utilities and VR Chat enhancement applications.
  • The malware extracts sensitive data, injects malicious payloads, and ensures persistence on infected systems.
  • Data exfiltration is conducted via Discord webhooks, Telegram bots, and custom command-and-control servers.

A new report from Trellix Advanced Research Center has exposed the inner workings of Celestial Stealer, a sophisticated Malware-as-a-Service (MaaS) platform targeting developers, gamers, and cryptocurrency users. The JavaScript-based infostealer is disguised as seemingly legitimate applications, employing advanced obfuscation and anti-detection measures to extract sensitive data from compromised systems.

Celestial Stealer operates as a MaaS offering marketed on Telegram, with subscription plans available on a weekly, monthly, or lifetime basis. It is primarily designed for Windows 10 and 11 and is distributed either as an Electron application or a NodeJS single application. According to Trellix: β€œThis stealer targets both Chromium and Gecko-based browsers, along with applications such as Steam, Telegram, and cryptocurrency wallets like Atomic and Exodus.”

The malware employs anti-analysis techniques, including checks for specific usernames and computer names, to evade detection. Its creators claim the stealer is β€œFully Undetectable (FUD),” verified through submissions to VirusTotal.

Trellix identified several infection chains for Celestial Stealer:

  1. Discord Promotion Generator: A malicious tool disguised as a Discord utility executes the stealer by decoding and running a Base64-encoded payload.
  2. VR Chat NSFW Application: Promoted as a VR Chat enhancement tool, it entices victims to download a stealer-laden executable.

Once executed, the stealer connects to its command-and-control (C2) servers for payload delivery and data exfiltration.

Celestial Stealer exhibits a wide range of malicious functionalities:

  • Data Theft: Extracts sensitive data such as cookies, passwords, autofill details, and credit card information from browsers and cryptocurrency wallets.
  • Application Injection: Injects malicious payloads into popular applications like Discord and Exodus, intercepting user credentials and payment details.
  • Persistence: Copies itself to the startup folder to ensure execution on system boot.
  • Anti-Detection: Incorporates obfuscation techniques such as control-flow flattening, junk code insertion, and anti-sandbox checks.

Trellix explained: β€œThe sample checks for the timestamp in various functions. If the system date is before or after a certain date, the executable will either terminate itself or start an infinite loop.”

The malware employs diverse data exfiltration methods, including:

  • Leveraging Discord webhooks, Telegram bots, and file-sharing platforms like gofile.io for data transmission.
  • Direct communication with C2 servers such as admin.celestial-stealer[.]dev.
  • Updates in later samples replaced legitimate services with custom C2 infrastructure for greater control.

Celestial Stealer exemplifies the growing threat posed by MaaS platforms, blending technical sophistication with a commercialized distribution model. As Trellix emphasized: β€œInfostealers represent a serious risk to user security, capable of extracting sensitive data such as passwords, cookies, and more.”

For more details, see Trellix’s comprehensive analysis here.

Related Posts:

Source: https://securityonline.info/beware-of-celestial-stealer-new-maas-targets-browsers-and-crypto-wallets