SantaStealer is a new malware-as-a-service information stealer advertised on Telegram, designed to evade detection by operating in memory. Rapid7βs analysis suggests it is a rebranded version of BluelineStealer with poor operational security and detection capabilities. #SantaStealer #BluelineStealer
Keypoints
- SantaStealer targets sensitive data like browser passwords, cookies, and credit card info, as well as messaging and gaming apps.
- The malware exfiltrates data in 10MB chunks via a hardcoded C2 endpoint, with multiple modules running simultaneously.
- It features configurable options, including excluding CIS systems and delaying execution to evade detection.
- Rapid7βs analysis indicates the samples are far from undetectable, revealing shortcomings in the developerβs operational security.
- The malware uses an embedded executable to bypass Chromeβs encryption protections and can manipulate its distribution methods.