SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations

SapphireStealer Malware

An open-source .NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants.

“Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion,” Cisco Talos researcher Edmund Brumaghin said in a report shared with The Hacker News.

An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks.

Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other malicious cyber activities.

SapphireStealer is a lot like other stealer malware that have increasingly cropped up on the dark web, equipped with features to gather host information, browser data, files, screenshots, and exfiltrate the data in the form of a ZIP file via Simple Mail Transfer Protocol (SMTP).

But the fact that its source code was published for free in late December 2022 has enabled miscreants to experiment with the malware and make it difficult to detect. This includes the addition of flexible data exfiltration methods using a Discord webhook or Telegram API.

“Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time,” Brumaghin said.

The malware author has also made public a .NET malware downloader, codenamed FUD-Loader, which makes it possible to retrieve additional binary payloads from attacker-controlled distribution servers.

Talos said it detected the malware downloader being used in the wild to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.

The disclosure comes a little over a week after Zscaler shared details of another stealer malware called Agniane Stealer that’s capable of plundering credentials, system information, session details from browsers, Telegram, Discord, and file transfer tools, as well as data from over 70 cryptocurrency extensions and 10 wallets.

It’s offered for sale for $50 a month (no lifetime license) on several dark web forums and a Telegram channel.

“The threat actors responsible for Agniane Stealer utilize packers to maintain and regularly update the malware’s functionality and evasions features,” security researcher Mallikarjun Piddannavar said.



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.