Raven Stealer is a sophisticated information-stealing malware targeting Chromium-based browsers through in-memory DLL injection and exfiltrating data via Telegram bots. It is actively developed and distributed by the ZeroTrace Team using GitHub and Telegram channels, facilitating credential theft campaigns with high stealth and ease of deployment. #RavenStealer #ZeroTraceTeam #TelegramC2
Keypoints
- Raven Stealer is developed in Delphi and C++ with a focus on stealth, using UPX packing and running without a visible interface to evade detection.
- The malware targets Chromium-based browsers, extracting passwords, cookies, payment information, autofill data, and cryptocurrency wallet details via reflective process hollowing.
- Data exfiltration is performed in real-time by sending stolen information through Telegram bots using embedded chat IDs and bot tokens.
- ZeroTrace Team maintains active distribution and development, promoting Raven Stealer and similar malware like Octalyn Stealer on GitHub and Telegram.
- The stealer uses modular architecture with embedded configuration allowing low-skill actors to launch credential theft campaigns easily.
- Raven Stealer hides its activity by injecting into suspended browser processes and bypassing Chromium’s App-Bound Encryption.
- Structured storage and subsequent ZIP archiving of stolen data enable organized exfiltration and efficient attacker access.
MITRE Techniques
- [T1129] Shared Modules – The malware uses modular payloads with embedded DLLs for injection (‘…carries its main payload DLL as a ChaCha20-encrypted resource embedded within itself…’).
- [T1542] Pre-OS Boot – References to bootkit techniques indicate persistence attempts (‘Pre-OS Boot’ and ‘Bootkit’ mentioned in the framework).
- [T1027] Obfuscated Files or Information – UPX packing and obfuscated payload DLLs prevent reverse engineering (‘entropy value exceeds 7, indicating packing with UPX’).
- [T1564.003] Hide Artifacts: Hidden Window – The malware hides its console window using Windows API ShowWindow with SW_HIDE flag to avoid user detection.
- [T1057] Process Discovery – Uses imported functions to enumerate processes to perform injection (‘Process32NextW, GetCurrentProcessId’).
- [T1082] System Information Discovery – Performs system-wide enumeration to find stored credentials and relevant data.
- [T1071] Application Layer Protocol – Uses Telegram’s bot API over network layer for command and control (‘…data exfiltration via Telegram bot integration’).
Indicators of Compromise
- [File Hashes] Executables and DLLs associated with Raven Stealer – 2e0b41913cac0828faeba29aebbf9e1b36f24e975cc7d8fa7f49212e867a3b38 (RavenStealer.exe), 28d6fbbdb99e6aa51769bde016c61228ca1a3d8c8340299e6c78a1e004209e55 (v8Axs07p.3mf.exe), 252fb240726d9590e55402cebbb19417b9085f08fc24c3846fc4d088e79c9da9 (PAYLOAD_DLL.dll)
- [File Names] Obfuscated and packed payloads with randomized names and conventional files such as passwords.txt, payment.txt, autofill.txt indicating stolen data.
- [Domains] api.telegram.org – used for command and control communication and data exfiltration via Telegram bot API.
- [File Paths] %Local%RavenStealerChrome, %Local%RavenStealerEdge, Crypto Wallets directories – locations where stolen data is temporarily stored before exfiltration.
Read more: https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/