![]() Technical Analysisĭuring the initial execution, the stealer identifies whether it is being run in a controlled environment. We have also observed nearly 50 samples in the wild, indicating that the TAs were actively utilizing the Open-Source code to infect unsuspecting users. The figure below shows the Creal Stealer GitHub repository. ![]() ![]() Figure 3 – Creal Stealer PYC Fileįurther investigation revealed that this stealer’s source code and builder were also available on a GitHub repository. The figure below shows the extracted files. Figure 2 – File DetailsĪfter extracting the contents of the PyInstaller compiled file, we spotted a PYC file dubbed ‘Creal’. This site was hosting the stealer payload on Dropbox at hxxps//The stealer binary ( SHA 256: f3197e998822bc45cb9f42c8b153c59573aad409da01ac139b7edd8877600511) is compiled using PyInstaller indicating that the stealer is coded in Python. The figure below shows the phishing site. Recently Cyble Research and Intelligence Labs (CRIL) discovered a phishing site mimicking a Cryptocurrency mining platform that was spreading Creal Stealer. It is believed that stealer malware might have been involved in the attack. According to reports, the TAs gained access to the YouTube account by stealing session cookies. TAs successfully hacked a YouTube channel that had over 10 million subscribers and removed the original content of the channel, replacing it with two videos promoting cryptocurrency scams. Recently, however, TAs have started exploiting this type of malware to disseminate crypto scams through YouTube channels. Until now, the primary use of stealers by TAs has been to sell logs or to gain initial entry into a corporate network. The threat of InfoStealers is widespread and has been frequently employed by various Threat Actors (TA)s to launch attacks and make financial gains. Open-Source Stealer Widely Abused by Threat Actors
0 Comments
Leave a Reply. |