Taurus Stealer is an evolving information-stealing malware that has been active since April 2020, associated with the sale and distribution facilitated by Russian-language underground forums. Initially delivered via malspam or exploit kits, this malware employs sophisticated techniques, including heavy obfuscation and anti-emulation measures. Recent versions enhance its networking capabilities and improve security against detection. Affected: cybersecurity, information technology, financial sector, individual privacy, cryptocurrency users
Keypoints :
- Taurus Stealer is a C/C++ information-stealing malware operational since April 2020.
- Delivered through malspam campaigns and exploit kits like Fallout.
- Developed by the author of Predator The Thief, marketed via Russian underground forums.
- Features heavy code obfuscation and anti-emulation techniques.
- Capable of stealing credentials from various applications, including cryptocurrency wallets and browsers.
- Implements a complex command and control communication mechanism.
- Utilizes encrypted traffic and avoids detection through heavy use of junk code.
- Regular updates enhance its functionalities and improve evasion techniques.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Uses HTTPS for command and control communications.
- T1066 – Indicator Removal on Host: Deletes traces of networking activity using DeleteUrlCacheEntry.
- T1083 – File and Directory Discovery: Utilizes FindFirstFileA and FindNextFileA to seek out files to steal.
- T1157 – Data Encrypted: Encrypts exfiltrated data using RC4 encryption.
- T1203 – Exploit Public-Facing Application: Initially delivered via exploit kits.
- T1040 – Network Sniffing: Monitors and collects sensitive information during exfiltration.
Indicator of Compromise :
Full Story: https://outpost24.com/blog/an-in-depth-analysis-of-the-new-taurus-stealer/
Views: 2