Threat Research

BLX Stealer – Cyfirma

Securonix

CYFIRMA identifies a sophisticated dropper named BLX Stealer (also called XLABB Stealer) designed to harvest credentials, browser data, and cryptocurrency wallets, with persistent capabilities and ongoing development. It is advertised on Telegram and Discord and uses a Discord Webhook for C2, while the Open-Source BLX Stealer tool remains under active development. #BLXStealer #XLABBStealer

Keypoints

  • Malware Name: BLX Stealer (also known as XLABB Stealer)
  • Distribution: Advertised on Telegram and Discord with free and premium versions
  • Targeted Data: Browser passwords, cryptocurrency wallets, gaming accounts, and Discord tokens
  • Persistence Mechanism: Drops payload in the startup folder for execution on system reboot
  • Exfiltration Method: Uses Discord Webhook as a Command and Control (C2) server
  • Development: Open-source tool available on GitHub, under constant development
  • Recommendations: Adoption of Zero Trust Security Model, advanced threat intelligence, and regular security audits

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used to bypass execution policy and run a temp.ps1 script: “C:Windowssystem32cmd.exe /d /s /c “powershell.exe -ExecutionPolicy Bypass -File “C:UsersUser AppDataLocalTemptemp.ps1””
  • [T1129] Shared Modules – The article notes these are “legitimate Microsoft utilities that can be abused by the malware to compile and manipulate executable files.”
  • [T1059.006] Command and Scripting Interpreter: Python – The Python extension files (”.pyd” modules and DLLs) are dropped in Temp: “_MEI81882”.
  • [T1543] Create or Modify System Process – The dropper’s behavior implies creation/modification of processes to run malware components.
  • [T1543.003] Privilege Escalation – Privilege escalation mechanisms observed in the dropper’s workflow.
  • [T1547] Boot or Logon Autostart Execution – Payload dropped in Startup folder to persist across reboots.
  • [T1649] Steal or Forge Authentication Certificates – The cacert.pem file contains CA certificates used to encrypt data over the network.
  • [T1560.001] Archive via Utility – The dropper’s data handling includes archiving-related actions using a utility.
  • [T1560.002] Archive via Library – The dropper’s data handling includes archiving-related actions using a library.
  • [T1016] System Network Configuration Discovery – Attempts to discover IP and geolocation details of the victim.
  • [T1497.001] System Check – WMI queries are used to detect sandbox/VM environments.
  • [T1102] Web Service – Discord Webhook is used as a C2 channel for exfiltration.

Indicators of Compromise

  • [File Hash] 8c4daf5e4ced10c3b7fd7c17c7c75a158f08867aeb6bccab6da116affa424a89 – Node.exe
  • [File Hash] e74dac040ec85d4812b479647e11c3382ca22d6512541e8b42cf8f9fbc7b4af6 – Node.exe
  • [File Hash] 32abb4c0a362618d783c2e6ee2efb4ffe59a2a1000dadc1a6c6da95146c52881 – Decryptable executable
  • [File Hash] 5b46be0364d317ccd66df41bea068962d3aae032ec0c8547613ae2301efa75d6 – Decryptable executable

Read more: https://www.cyfirma.com/research/blx-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint