A java based stealer has been spotted today over youtube compromised accounts. The log file produced by this malware was stored at Temp directory and thats how i could retrieve the name of this stealer
Analysis https://workupload.com/file/FJBNwrgMrXQ Malicious activity - Interactive analysis ANY.RUN
MalwareBazaar | SHA256 5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c (abuse.ch)
Im not sure about the exfiltration method, but im sure some rules can be written to add detection to this emerging threat
hey @g0njxa - I’m looking now and will give you an update once I find something
Okay, this is what I’ve got. I wasn’t able to get the sample to perform the exfiltration but I believe it is going to use Discord because it has this Java Discord API embedded within in the .jar and I observed DNS queries to Discord in my lab.
I also found these classes under the title “execchain.noom1337” which is probably where most of the malicious code is but I haven’t made much progress making sense of it all.
Based on the way that the archives are formatted the following sigs should already detect the exfiltration but I also created two new signatures that match the archive name format that is specific to nstealer. I’ll share the new sigs later today after they go live.
2029846 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2035015 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
2035016 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
2843856 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2```
Here are those sigs from today’s release
2048229 - ET MALWARE Win32/nstealer CnC Exfiltration (POST) M1
2048230 - ET MALWARE Win32/nstealer CnC Exfiltration (POST) M2