TROX Stealer is a malicious infostealer that takes advantage of urgent phishing campaigns to compromise sensitive data from individuals. This malware uses various programming techniques for evasion, targeting consumers rather than enterprises, and relies on urgency-inducing emails to deliver its payload. The malware is capable of exfiltrating various types of sensitive data, including credit card information and cryptocurrency wallets. Affected: consumers, cybersecurity companies, universities, solar energy corporations
Keypoints :
- TROX Stealer is a recently discovered malware that operates as an information stealer.
- It capitalizes on urgency in phishing emails to promote its malicious payload.
- Distributed through βurgentβ emails, the malware targets individuals across various sectors.
- Initial release of TROX Stealer dated back to April 2024, with a more public analysis in December 2024.
- The malware is marketed as a service targeting consumer data rather than corporate networks.
- Malicious emails often contain links leading to a domain used for downloading the malware.
- TROX Stealer employs complex execution chains and multi-lingual techniques to evade detection.
- Data exfiltration occurs via cloud storage services and personal messaging platforms.
- The malware shows advanced evasion tactics while relying on established methods for data theft.
- Sublimeβs AI detection successfully intercepted these campaigns before they reached inboxes.
MITRE Techniques :
- T1193 β Phishing: Attackers use urgent emails to manipulate victims into downloading malicious files.
- T1071 β Application Layer Protocol: The malware communicates over HTTP and HTTPS for exfiltration tasks.
- T1203 β Exploitation for Client Execution: The malware leverages obfuscated code to bypass standard safeguards during execution.
- T1105 β Ingress Tool Transfer: Malware is delivered via executable files linked in phishing emails.
Indicator of Compromise :
- [Domain] debt-collection-experts[.]com
- [Domain] documents[.]debt-collection-experts[.]com
- [Domain] debt-collection-experts[.]online
- [IP Address] 89.185.82.34
- [IP Address] 172.22.117.177
Full Story: https://sublime.security/blog/trox-stealer-a-deep-dive-into-a-new-malware-as-a-service-maas-attack-campaign/