SamsStealer is a .NET-based 32-bit Windows information stealer that collects passwords, cookies, wallet data, and other sensitive info from multiple browsers and apps, then compresses and exfiltrates it via gofile.io and Telegram. It propagates through Telegram channels (SamsExploit), uses concurrent data gathering, and employs cleanup steps to streamline data theft. #SamsStealer #SamsExploit #Telegram #gofileio #Discord
Keypoints
- CYFIRMA identified a new information stealer binary named “SamsStealer” propagating in Telegram.
- It targets a wide range of browsers and crypto wallets to exfiltrate passwords, cookies, and wallet data.
- The malware creates a temporary folder in the system Temp directory to store exfiltrated data as text files.
- Asynchronous operations and concurrency are used to speed data collection, with cleanup of unnecessary files.
- Exfiltration chain: data is zipped into Backup.zip, uploaded to gofile.io, and the download link is sent to the attacker via Telegram.
- OSINT indicates multiple SamsStealer samples since April 24, and the campaign is linked to the SamsExploit Telegram channel.
- Crypto wallets targeted include Bitcoin, Ethereum, Zcash, and others; attackers can access private keys and wallet data.
MITRE Techniques
- [T1566] Phishing – The attack campaign is described as propagating in a Telegram channel, implying initial access via social distribution. “The information stealer binary has been observed propagating in a Telegram channel named ‘SamsExploit’.”
- [T1566.001] Spear phishing Attachment – The content notes targeted distribution through Telegram channels; “The information stealer binary has been observed propagating in a Telegram channel named ‘SamsExploit’.”
- [T1204] User Execution – The malware creates a temporary folder and hides the console before continuing execution: “It later hides the console window before executing the rest of the code.”
- [T1082] System Information Discovery – The malware gathers IP and general system information, exemplified by obtaining geolocation data via an external service: “Geolocation and IP Identification: It makes an HTTP GET request to the URL ‘http[:]//ip-api[.]com/json/?fields=225545’ to fetch information about the current IP address.”
- [T1005] Data from Local System – The stealer collects passwords, cookies, session data, wallet data, and Discord/Telegram data, storing them in the Temp folder: “The malware makes asynchronous calls to methods to steal passwords and cookies… It retrieves Discord account information, steals wallet information…”
- [T1041] Exfiltration Over C2 Channel – Data is compressed and uploaded to a file-sharing service, then the link is sent to the attacker: “compressing the gathered information into a ZIP file named ‘Backup.zip’… uploads this compressed file to the free online file-sharing service ‘gofile.io’ and sends the download link via the messaging service ‘Telegram’.”
- [T1567.003] Exfiltration to Text Storage Sites – The attacker receives the gofile download link via Telegram: “New goat Detected… Download Link: https://gofile.io/xxxxx”
Indicators of Compromise
- [MD5] 83f94302ae92909bc3b2834a5342d4a5 – SamsStealer sample
- [MD5] 824e149b9c2bdd5dbe37f472533230af – Other Sample
- [URL] http://ip-api.com/json/?fields=225545 – Geolocation/IP identification data retrieval
- [Domain] gofile.io – used for hosting exfiltrated data
- [File Path] C:UsersUsernameAppDataLocalTempMyTempFolder – staging area for stolen data
- [File Path] C:UsersUsernameAppDataLocalTempBackup.zip – exfiltration ZIP archive
- [Telegram Channel] SamsExploit – distribution channel for SamsStealer