MicroStealer Analysis: A Fast-Spreading Infostealer with Limited Detection 

MITRE Techniques

• [T1204.002 ] User Execution: Malicious File – Victim executes the delivered NSIS/Electron installer (Game Launcher/RocobeSetup) (‘User runs NSIS installer / Game Launcher’)
• [T1059.001 ] PowerShell – PowerShell script used to request elevation with Start-Process -Verb RunAs for UAC interaction (‘Start-Process -FilePath ” -ArgumentList ‘–install’ -Verb RunAs’)
• [T1059.003 ] Windows Command Shell – schtasks is invoked to create a scheduled task for persistence (‘schtasks /create /tn “%s” /tr “”%s” -jar ”%s”” /sc ONLOGON /delay 0000:05 /rl HIGHEST /f’)
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence via a scheduled task named App_ triggered ONLOGON with highest privileges (‘Task App_, ONLOGON, HIGHEST, 5s delay’)
• [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – Social-engineered UAC prompt presented during installation to obtain elevated privileges (‘UAC prompt for elevation (social engineering)’)
• [T1134.001 ] Access Token Manipulation: Token Impersonation/Theft – Malware duplicates LSASS token and impersonates it to escalate privileges when LSA protections allow (‘DuplicateToken / ImpersonateLoggedOnUser on LSASS token’)
• [T1027 ] Obfuscated Files or Information – Extensive obfuscation in Node.js (LZ-String, flattened control flow) and ZKM-obfuscated Java classes (‘Node.js obfuscation + ZKM in JAR’)
• [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Executable named miicrosoft.exe and benign-sounding Game Launcher used to appear legitimate (‘miicrosoft.exe, Game Launcher naming’)
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Checks for VM-related processes and halts if found (vmware*, vbox*, qemu, etc.) (‘Process list check for VMware, VBox, QEMU, etc.’)
• [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Extracts saved passwords and autofill from Chromium-based browsers via profiles and DPAPI decryption (‘Chromium/Opera: passwords, autofill via DPAPI’)
• [T1539 ] Steal Web Session Cookie – Extracts browser cookies to enable session hijacking (‘Browser cookies extraction (session hijacking)’)
• [T1552.001 ] Unsecured Credentials: Credentials In Files – Copies wallet files and extension storage to exfiltrate desktop and browser wallet data (‘Wallet files and browser extension storage’)
• [T1003.001 ] OS Credential Dumping: LSASS Memory – Attempts LSASS memory access and token duplication when RunAsPPL is disabled (‘LSASS access when RunAsPPL=0, token duplicate’)
• [T1082 ] System Information Discovery – Collects environment details (external IP, region, OS version, time zone, hostname, username, env vars) for beaconing and profiling (‘Collects hostname, OS, username, env vars for exfil report’)
• [T1113 ] Screen Capture – Captures full desktop screenshot via java.awt.Robot and saves as PNG for exfiltration (‘Screenshot via java.awt.Robot, PNG’)
• [T1560.001 ] Archive Collected Data: Archive via Utility – Packages stolen data into ZIP archives before exfiltration (‘ZIP before exfiltration’)
• [T1567.004 ] Exfiltration Over Web Service: Exfiltration Over Webhook – Sends stolen archives and beacons to Discord webhook and other web servers (‘Data sent to Discord/webhook’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – Uses HTTPS to communicate with C2, Discord API, and attacker domains (‘HTTPS to C2 / webhooks’)