Threat Research

Cyble – NoMercy Stealer Adding New Features

Securonix

Cyble Research Labs uncovered NoMercy stealer being sold on Telegram, primarily targeting Indian threat actors, with the developer rapidly adding new capabilities (including clipper and VPN client-stealer features). The stealer exfiltrates extensive host information to a C2 server, persists across reboots, and uses hardcoded C2 configurations as it evolves. #NoMercyStealer #CybleResearchLabs

Keypoints

  • NoMercy Stealer is sold on Telegram, priced around 780 Indian rupees (~$10), indicating a focus on Indian threat actors.
  • The initial build is primitive and 32‑bit, console-based C# software with hardcoded C2 details and startup persistence.
  • Early operations include checking the victim’s public IP via ipify, registering with a C2 server, and then sending system information to the C2.
  • The malware continuously exfiltrates data: screenshots, keystrokes, webcam photos, and device audio, after establishing persistence.
  • New features such as clipper and VPN client‑stealer capabilities were added in the v1.1.0 version sold for ~$20.
  • UIDs are generated from the victim’s public IP and account name (via whoami), then used to register with the C2; communications follow a structured URL format.
  • Infections appear not to be high-volume yet, but the actors are actively enhancing capabilities, signaling evolving threat trends.

MITRE Techniques

  • [T1204] User Execution – The NoMercy stealer is a 32-bit, console-based C# executable file. ‘The NoMercy stealer is a 32-bit, console-based C# executable file.’
  • [T1547] Boot or Logon AutoStart Execution – After initial execution, the information stealer copies itself into the start-up folder of the user’s machine. ‘After initial execution, the information stealer copies itself into the start-up folder of the user’s machine.’
  • [T1082] System Information Discovery – The stealer collects various system information data points from the victim using cmd.exe. ‘After sending the victim data to the C&C server, the stealer collects various system information data points from the victim using cmd.exe.’
  • [T1016] System Network Configuration Discovery – The stealer retrieves the public IP using ipify and gathers network details as part of its information collection. ‘The stealer gets the public IP of the victim from hxxp://api.ipify[.]org’
  • [T1033] System Owner/User Discovery – UID generation uses the account name from whoami, tying user identity to the victim. ‘and appends the account name generated using the whoami command’
  • [T1046] Network Service Discovery – The malware runs commands such as whoami, arp, ipconfig, etc., to harvest network/configuration data. ‘…commands such as whoami, arp, ipconfig, etc.’
  • [T1518] Software Discovery – The stealer embeds a hardcoded configuration including C2 URL and versioning information. ‘The NoMercy stealer has a hardcoded configuration embedded into the source code. The configuration contains the details such as C&C URL, file name for establishing persistence, version information, etc.’
  • [T1119] Automated Collection – The malware automatically gathers and transmits data after initial execution and C2 registration. ‘After sending all the victim’s information to its C&C server, the malware runs three separate threads for different operations…’
  • [T1056] Input Capture – The stealer captures keystrokes as part of its data collection. ‘continuously send screenshots, keystrokes, webcam photos, and device audio to the C&C server.’
  • [T1125] Video Capture – The stealer captures webcam snapshots as part of its data exfiltration. ‘continuously send screenshots, keystrokes, webcam photos, and device audio to the C&C server.’
  • [T1071] Application Layer Protocol – Data is sent to the C2 server using HTTP-style endpoints with UID/version parameters. ‘hxxp://six-clowns-sing-103-119-240-166.loca[.]lt/a?uid=[public IP]@[Current Username]&version=NoMercy-v1.0’

Indicators of Compromise

  • [MD5] a101aebd7e97dba97311cde683a64a32 – NoMercy Stealer
  • [SHA-1] e010b078904516eeb6c471904d4adc190c6f53fe – NoMercy Stealer
  • [SHA-256] 9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65 – NoMercy Stealer
  • [URL] hxxp://six-clowns-sing-103-119-240-166.loca[.]lt/ – Command and Control
  • [IP] 193.34.76.44 – Command and Control
  • [File name] WindowsKernalDrivers.exe – Startup persistence

Read more: https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/