Threat Research

Unmasking AsukaStealer: The $80 Malware Threatening Your Digital Security – Blogs on Information Technology, Network & Cybersecurity | Seqrite

Securonix

AsukaStealer, a C++ malware marketed on a Russian-language cybercrime forum by the alias ‘breakcore,’ is exposed and offered for $80/month to deploy and manage malicious capabilities. It targets Gecko and Chromium-based browsers (Firefox, Chrome, Edge) and other apps to exfiltrate cookies, saved logins, wallet data, and more, while also downloading a Coinminer and taking screenshots. #AsukaStealer #breakcore

Keypoints

  • AsukaStealer is marketed on a Russian-language cybercrime forum by the alias “breakcore,” with a monthly service fee of $80.
  • It targets both Gecko- and Chromium-based browsers (e.g., Mozilla Firefox, Google Chrome, Microsoft Edge) to harvest extension data, cookies, and saved login credentials.
  • Beyond browsers, it seeks data from cryptocurrency wallets, FTP clients, messaging apps (Discord and Telegram), and gaming software (Steam).
  • The malware can exfiltrate files and take screenshots, extending its data-theft reach beyond browser data.
  • It uses API hashing and contains base64-encoded and hexadecimal values, including a decoded C2 address (hxxp://5.42.66.25:3000/) and a downloadable configuration file from the C2 server.
  • Desktop version, language ID, OS details, CPU, RAM, time zone, and other system information are collected, with a location check targeting certain countries.
  • Data is stored with UUID-based indexing, and a Coinminer component is downloaded and executed from the temp folder.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Data – The malware uses base64-encoded and hexadecimal values to hide data and decodes a C2 address: ‘After decoding the c2c address is hxxp://5.42.66.25:3000/.’
  • [T1555.003] Credentials in Web Browsers – It collects login details like cookies, passwords, and web data from browsers: ‘It also tries to collect login details like cookies, passwords, and web Data of browsers.’
  • [T1082] System Information Discovery – It collects desktop version and language ID and checks geographic origin: ‘It tries to collect desktop version and language ID and checks if they are from Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, or Russia.’
  • [T1539] Steal Web Session Cookie – It attempts to steal cookies and related browser data: ‘Steal Web Session Cookie.’
  • [T1528] Steal Application Token – It references stealing application tokens: ‘Steal Application Token.’
  • [T1113] Screen Capture – It takes screenshots: ‘Screen Capture’.
  • [T1041] Exfiltration Over C2 – It transmits collected data to the C2: ‘transmits crucial files for decrypting browser data, including cookies.sqlite, logins.json, cert9.db, and key4.db.’
  • [T1071.001] Web Protocols – C2 communications over HTTP: ‘C2 address hxxp://5.42.66.25:3000/’
  • [T1496] Resource Hijacking – It downloads and executes a Coinminer: ‘downloads the Coinminer file, saves it in a temp folder with the name tempik22814838.exe, and executes it.’

Indicators of Compromise

  • [Hash] AsukaStealer – 24bb4fc117aa57fd170e878263973a392d094c94d3a5f651fad7528d5d73b58a
  • [Hash] Coinminer – 6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4
  • [URL] C2/Config server – hxxp://5.42.66.25:3000/
  • [File] Coinminer binary – tempik22814838.exe (saved in temp folder and executed)

Read more: https://www.seqrite.com/blog/unmasking-asukastealer-the-80-malware-threatening-your-digital-security/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint