Raven Stealer: Threat Intelligence Summary

MITRE Techniques

• [T1003 ] OS Credential Dumping – Enumerates and extracts stored browser credentials and local vaults from Chromium-based browsers (“…steals credentials from various applications…accessing local storage paths and credential vaults…”).
• [T1552 ] Unsecured Credentials – Embeds Telegram Chat_ID and Bot_Token as plaintext in resources (resource IDs 102 and 103) enabling direct use of credentials (“…embeds sensitive Telegram credentials, specifically the Chat_ID and Bot_Token as plain text within its resource section…”).
• [T1574 ] Hijack Execution Flow – Reflective process hollowing into a suspended Chromium process to run malicious DLL in-memory (“…a new Chromium browser instance is launched in a suspended state…the decrypted DLL is injected into the suspended process…”).
• [T1055 ] Process Injection – Decrypts DLL in memory and injects it into a legitimate Chromium process to execute without dropping files (“…DLL is decrypted in memory only, avoiding disk writes…Reflective Process Hollowing…”).
• [T1041 ] Exfiltration Over C2 Channel – Uses Telegram bot API to send collected ZIP archive to attacker (“…The ZIP file is sent to the attacker via Telegram using the API endpoint: https://api.telegram.org/bot/sendDocument”).
• [T1027 ] Obfuscated Files or Information – Uses ChaCha20 encryption and high-entropy embedded resources (entropy ~8.0) to hide payloads (“…Encrypted Payload: Malware embeds its main DLL payload using ChaCha20 encryption…Entropy analysis reveals a value of 8.0…”).
• [T1204 ] User Execution – Distributed via cracked software and underground forums that rely on user execution to install the stealer (“…distribution often occurs through underground forums or bundled with cracked software…”).