Threat Research

Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection

Cyble

Keypoints

  • Maranhão Stealer is distributed through social engineering websites promoting pirated games, cheats, and cracked launchers (example: hxxps://derelictsgame.in/DerelictSetup.zip).
  • The malware is written in Node.js, packaged via Inno Setup, and drops components under a masqueraded “Microsoft Updater” directory in %localappdata%.
  • Persistence is achieved through Run registry keys and scheduled tasks; files are hidden via attrib +h +s to evade detection.
  • The stealer performs extensive host reconnaissance (WMI queries, ip-api.com geolocation), screen capture, and targeted credential theft from browsers and cryptocurrency wallets.
  • It uses reflective DLL injection (NtAllocateVirtualMemory, NtWriteProcessMemory, CreateThreadEx) to extract encrypted browser data and bypass protections like AppBound.
  • Exfiltration and C2 communications occur over HTTP(S) to endpoints including api.maranhaogang.fun and IP 104.234.65.186, with endpoints for infect, victim, and upload.
  • The malware has evolved from using PsExec and external decryptor tools to embedding functionality (infoprocess.exe, infoprocess written in Go) and creating child processes via Win32 APIs for greater stealth.

MITRE Techniques

  • [T1204.002 ] User Execution – Delivered via trojanized game launchers and pirated software installers (“Delivered via trojanized game launchers and pirated software installers”).
  • [T1547.001 ] Registry Run Keys/Startup Folder – Creates Run key via reg.exe to execute Updater.exe at logon (“reg.exe ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v updater …”).
  • [T1055.001 ] Dynamic-link Library Injection – Injects a Reflective DLL payload into the browser’s memory (“injects PAYLOAD_DLL into the browser process using NtAllocateVirtualMemory, NtWriteProcessMemory, and CreateThreadEx”).
  • [T1036 ] Masquerading – Places components in the “Microsoft Updater” directory to appear legitimate (“disguises itself in a directory named ‘Microsoft Updater’ located under %localappdata%Programs”).
  • [T1564.001 ] Hidden Files and Directories – Uses attrib +h +s to mark files and directories as hidden/system (“attrib +h +s infoprocess.exe … attrib +h +s ‘C:UsersMalWorkstationAppDataLocalProgramsMicrosoft Updater’”).
  • [T1082 ] System Information Discovery – Executes WMI queries to profile the host (“wmic os get Caption … wmic cpu get Name … wmic csproduct get UUID”).
  • [T1614.001 ] System Location Discovery – Collects geolocation/network data via ip-api.com (“sends a request to ip-api.com/json” to retrieve country, city, ISP, ASN, etc.).
  • [T1113 ] Screen Capture – Uses inline PowerShell C# to capture screenshots of all connected displays (“uses inline C# code within PowerShell to enumerate all connected displays (Screen.AllScreens) and capture the contents”).
  • [T1555.003 ] Credentials from Web Browsers – Extracts history, cookies, saved logins, and wallet data from browsers (Chrome, Edge, Brave, Opera) (“systematically enumerates user profiles and extracts artifacts such as browsing history, cookies, download records, and saved login credentials”).
  • [T1620 / T1055.012 ] Reflective Code Injection – Injects a reflective loader DLL into browsers using low-level NT APIs (“Reflective DLL injection into browser processes using NtAllocateVirtualMemory and NtWriteProcessMemory”).
  • [T1041 ] Exfiltration Over C2 Channel – Sends collected data to attacker endpoints (104.234.65.186, maranhaogang[.]fun) (“Sends collected data to attacker endpoints (104.234.65.186, maranhaogang[.]fun)”).
  • [T1071.001 ] Application Layer Protocol – Uses HTTP(S) endpoints for infection reporting, victim tracking, and data upload (“hxxps://api.maranhaogang.fun/infect … /victim … /upload”).

Indicators of Compromise

  • [SHA-256 ] Installer/binary hashes – 97813e1c66dc8922b8242d24a7a56409b57ce19c61042ffda93031c43a358b9b (Fnafdoomlauncher.exe), and 1c0fb1550b2ac6173c4861fd2a0dd84d0ddcefeb8aeb33b6ba4dc25d9fefaeb6 (infoprocess/decoder), plus many other hashes (and 30+ similar hashes).
  • [Filenames ] Trojanized installer filenames observed – Fnafdoomlauncher.exe, VersionX64_Setup.exe (examples of trojanized game launchers and installers).
  • [Domains/URLs ] Attacker-controlled C2 and API endpoints – hxxps://api.maranhaogang.fun/infect, hxxps://api.maranhaogang.fun/upload (used for infection reporting and data exfiltration), and api.maranhaogang.fun domain.
  • [IP Address ] Command-and-control IP – 104.234.65.186 (used to notify attacker of successful infection and transmit host details).
  • [File paths ] Deployed file locations and artifacts – C:UsersAppDataLocalProgramsMicrosoft Updaterupdater.exe, crypto.key (dropped and used for victim identification and communications).

Read more: https://cyble.com/blog/inside-maranhao-stealer-node-js-powered-infostealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint