Threat Research

Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign

LevelBlue-spiderlabs
Stealerium Unmasked: Inside a Multi-Lure, Multi-Stage Stealer Campaign

A multi-stage phishing campaign consistently delivers the Stealerium .NET infostealer by reusing a stable execution core while varying lure themes and front-door delivery methods. #Stealerium #DepartmentOfState

Keypoints

  • Operators delivered Stealerium through password-protected ZIP attachments that contained malicious SVGs instructing victims to run a PowerShell one-liner (ClickFix), enabling user-driven execution and evasion of automated inspection.
  • The campaign evolved from a relief-fund lure to executive reward themes and added an intermediate credential-harvesting HTML page that exfiltrated credentials to an operator-controlled Telegram bot before continuing to the same payload.
  • Delivery diversified across fallback endpoints (/gethta, /getexe, /getdll, /getps, /getbatch) to increase execution reliability while the backend Stealerium payload remained consistent and reflectively loaded in-memory.
  • Stealerium’s runtime features included AMSI bypass and ETW suppression, credential/browser/session theft, keylogging, clipboard hijacking (crypto address clipping), file grabbing, optional webcam/screenshot capture, and operator-triggered ransomware capability.
  • Exfiltration used a hybrid model: embedded C2 endpoints for control and cloud file hosts (GoFile) plus Telegram for operator notifications and stolen-data delivery links.
  • Observed persistence mechanisms included HKCU Run registry keys, Startup folder copies, and scheduled tasks when administrative privileges were available.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Password-protected ZIP used as initial lure and delivery to evade automated inspection (‘…provided a password‑protected ZIP file. Supplying the ZIP password in the email was not just convenient; it increased the chance a user would open the file…’)
  • [T1204 ] User Execution – Socially engineered SVG instructs the victim to manually run a PowerShell command outside the browser sandbox (‘…it tells the user to manually copy a PowerShell command and run it through the Windows Run dialog or a command prompt.’)
  • [T1059.001 ] PowerShell – PowerShell one-liners and loaders stage HTA and subsequent script-based loaders and retrieve payloads (‘…The PowerShell one‑liner downloads an HTA file into %TEMP% and launches it with mshta.exe… writes the next PowerShell loader to disk, commonly as update.ps1.’)
  • [T1218.005 ] Mshta – Use of mshta.exe to execute staged HTA content during loading (‘…downloads an HTA file into %TEMP% and launches it with mshta.exe.’)
  • [T1620 ] Reflective Code Loading – Final Stealerium payload is loaded in-memory via reflective .NET loading (‘…executes Stealerium primarily through in-memory, reflective .NET loading.’)
  • [T1027 ] Obfuscated Files or Information – HTML smuggling and embedded/encoded artifacts (Base64 SVG, encoded PowerShell, compressed DLL) reduce network visibility and hinder inspection (‘…The SVG is embedded in the HTML as a Base64 blob… PowerShell commands are delivered in encoded form… downloads a compressed DLL, decompresses it in memory with GZipStream…’)
  • [T1566.002 ] Phishing: Web Page – Intermediate HTML credential-harvesting page that collects passwords and posts them to a Telegram bot (‘…an intermediate phishing HTML page that harvests credentials… Each password attempt is sent to an operator-controlled Telegram bot…’)
  • [T1056.001 ] Input Capture: Keylogging – Stealerium includes an enabled keylogging module to capture keystrokes (‘…keylogging…’)
  • [T1113 ] Screen Capture – Optional screenshot (and webcam) capture used for identity/context collection (‘…Optional screenshot or webcam capture for identity and context.’)
  • [T1115 ] Clipboard Data – Clipboard hijacking including crypto address clipping to replace copied wallet addresses with actor-controlled addresses (‘…clipboard hijacking, including crypto address clipping that replaces copied wallet addresses with actor-controlled addresses.’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via HKCU Run key and copying payload to the user Startup folder (‘…HKCUSoftwareMicrosoftWindowsCurrentVersionRun… copies itself into the user Startup folder.’)
  • [T1053 ] Scheduled Task/Job – Creation of a scheduled task for persistence when running with administrative privileges (‘…schtasks /create /tn “StealeriumTask” /tr “” /sc onlogon /rl highest /f’)

Indicators of Compromise

  • [IP address ] initial C2 host used to stage components – 31[.]57[.]147[.]77:6464
  • [Domain / URL ] primary C2 and redirect endpoints – hxxps://c2-rpxl[.]onrenderp[.]com, hxxps://login[.]verify[.]monksmeets[.]com/tpjFIejZ
  • [String / Key ] embedded configuration secret – StealeriumC2SecretKey123
  • [File names / paths ] staged loader and persistence artifacts – update.ps1; %APPDATA%MicrosoftWindowsStart MenuProgramsStartup.exe
  • [Registry key ] persistence location – HKCUSoftwareMicrosoftWindowsCurrentVersionRun (Value: Stealerium)
  • [Scheduled task ] persistence task name – “StealeriumTask” (schtasks /create … /tn “StealeriumTask”)

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/stealerium-unmasked-inside-a-multi-lure-multi-stage-stealer-campaign