HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

The Hannibal Stealer is a new variant of information-stealing malware that targets various online services and sensitive data. Developed in C# and operating on the .NET Framework, it extracts information from browsers and applications while circumventing security measures. This malware showcases modular capabilities in gathering credentials, cryptocurrency wallet information, and other sensitive details, highlighting an evolving threat landscape. Affected: individuals, organizations, cryptocurrency wallet users, VPN service users.

Keypoints :

  • Hannibal Stealer is a rebranded variant of previous stealers, Sharp and TX.
  • The malware targets and exfiltrates data from browsers, cryptocurrency wallets, FTP clients, and VPNs.
  • It employs advanced techniques like clipboard hijacking and geofencing to evade detection.
  • Control is managed through a dedicated C2 panel enabling streamlined data exfiltration.
  • Hannibal Stealer was actively promoted on multiple forums and Telegram channels.
  • Offers a subscription model for attackers to access its services.
  • Utilizes social engineering by supporting hacktivist agendas to potentially draw users.
  • Current operational structure includes active panels for real-time data access by operators.

MITRE Techniques :

  • Execution: T1047 – Windows Management Instrumentation for system profiling.
  • Execution: T1106 – Native API calls to execute functions within the malware.
  • Execution: T1129 – Shared Modules for code reuse within the malware.
  • Privilege Escalation: T1055 – Process Injection to manipulate running processes.
  • Credential Access: T1003 – OS Credential Dumping from multiple sources.
  • Collection: T1005 – Data from Local System by extracting targeted files.
  • Exfiltration: T1041 – Exfiltration Over Command-and-Control Channel for sending stolen data.

Indicator of Compromise :

  • [SHA256] f69330c83662ef3dd691f730cc05d9e4439666ef363531417901a86e7c4d31c8
  • [SHA256] 251d313029b900f1060b5aef7914cc258f937b7b4de9aa6c83b1d6c02b36863e
  • [URL] hXXp://45.61.151[.60]/login/
  • [URL] 45[.]61.141.160:8001/login/
  • [Domain] www[.]hannibal[.]dev

Full Story: https://www.cyfirma.com/research/hannibal-stealer-a-rebranded-threat-born-from-sharp-and-tx-lineage/