Threat Research

The Thin Line: Educational Tools vs. Malicious Threats – A Focus on The-Murk-Stealer – CYFIRMA

Securonix

The CYFIRMA report examines The-Murk-Stealer, an open-source infostealer masquerading as an educational tool that can covertly harvest data from browsers, wallets, messaging apps, VPNs, and more, with anti-analysis features and data exfiltration to Discord, Telegram, and XMPP. It also highlights how openly available tooling on GitHub can be repurposed for malicious use, underscoring the need for heightened cybersecurity awareness and defenses. #TheMurkStealer #GitHub #Discord #Telegram #XMPP

Keypoints

  • The malware targets a wide range of data, including browser data, crypto wallets, VPN configurations, game launcher data, and system keys, organizing it into designated folders.
  • It steals browser credentials, cookies, and history, decrypting data for potential misuse.
  • FTP credentials from FileZilla can be decrypted and exposed, enabling possible unauthorized FTP access.
  • Data from messaging apps like WhatsApp, Discord, Skype, and Telegram is harvested and uploaded to a remote server.
  • Anti-analysis, anti-debugging, encryption, hidden directories, and UAC bypass are used to evade detection and gain persistence.
  • The tool can bypass defenses, escalate privileges, and even mislead analysts with altered metadata and false binary information.
  • Open-source availability on GitHub and related platforms fuels misuse by threat actors, highlighting the evolving threat landscape of open-source stealers and RATs.

MITRE Techniques

  • [T1566] Phishing – The initial access (TA0001) occurs through malicious tooling and social-technical delivery, as noted: “The initial access gained through these malicious tools serves as a steppingstone for more severe cyber-attacks.”
  • [T1204.002] Malicious File – The builder creates the malicious stealer binary used for deployment: “The interface for the builder … finally builds the binary which an attacker uses for deploying in victim’s environment.”
  • [T1059.001] PowerShell – The malware uses PowerShell for data collection and key extraction: “The End function is responsible for preparing the collected data and initiating the exfiltration process.”
  • [T1548.002] Bypass User Account Control – The stealer bypasses UAC to elevate privileges: “It bypasses antivirus detection and elevates privileges … It employs a method called UAC bypass…”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis and anti-debugging measures to evade analysis: “anti-analysis mechanisms … in a controlled environment (e.g., virtual machines, known debugging environments).”
  • [T1498] Execution Guardrails – Uses blacklists to avoid analysis and known research environments: “loads various blacklisted data from URLs. These blacklists contain identifiers associated with virtual machines, debugging tools, specific hardware, software, or known analysis environments.”
  • [T1555.003] Credentials from Web Browsers – Steals browser credentials and data: “covertly acquires critical data from users’ web browsers, including login credentials, cookies, and browsing history.”
  • [T1081] Credentials in Files – Accesses credentials stored in files (e.g., FTP config): “decrypts encrypted FTP credentials from the FileZilla FTP client …”
  • [T1083] File and Directory Discovery – Grabs targeted files across drives and creates directories: “grabs files from the victim’s system … organizing them into a designated folder.”
  • [T1082] System Information Discovery – Collects comprehensive system data: “gathers general system-related data, such as system information, product keys, Wi-Fi details, and clipboard content.”
  • [T1113] Screen Capture – Takes screenshots and stores them: “Automates data collection including screenshots.”
  • [T1115] Clipboard Data – Extracts clipboard contents: “clipboard content … saved to a text file.”
  • [T1119] Automated Collection – Orchestrates data collection in sequence: “Main: Serves as the main orchestrator, calling the other functions in a sequential manner to execute the entire data collection process.”
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates data to remote servers and platforms: “upload the stolen information to a remote server” and “gofile.io” hosting.
  • [T1048] Exfiltration Over Alternative Protocol – Uses messaging platforms for exfil: “send a message containing the download link … to Discord Webhook, Telegram, XMPP.”

Indicators of Compromise

  • [Domain] gofile.io – Used as an exfiltration/file hosting channel for stolen data.
  • [Domain] github.com – Platform hosting the open-source stealers and builder tooling.
  • [MD5] de107229b7dcce9c8ff292a76b4d459f – TheMurkBuilder.exe
  • [SHA1] 665b449dd635d939e96cf67be61d8bab02c17717 – TheMurkBuilder.exe
  • [SHA256] ac11a21b82f999380b9a84cabd0f4c0c4b5ffc3278b127bfcdd4ae1b027dfba3 – TheMurkBuilder.exe

Read more: https://www.cyfirma.com/outofband/the-thin-line-educational-tools-vs-malicious-threats-a-focus-on-the-murk-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint