Cybersecurity researchers have recently discovered two highly sophisticated information stealers: NS-STEALER and Chaes malware. These malware strains utilize various techniques to infiltrate systems and collect sensitive data.
Description
NS-STEALER is a Java-based information stealer that operates through a Discord bot channel [1]. It disguises itself as cracked software in cleverly disguised ZIP archives. Once installed, it deploys a malicious JAR file using a rogue Windows shortcut file. NS-STEALER then creates a designated folder to store stolen data, including screenshots [1] [3] [4] [5] [6], cookies [1] [3] [4] [5] [6], credentials [1] [4] [5] [6], autofill data [1] [5] [6], system information [1] [2] [3] [4] [5] [6], and a list of installed programs [1] [3]. It also gathers session data from popular platforms like Discord, Steam [3] [6], and Telegram [3] [6]. The stolen information is discreetly sent to the Discord bot channel for further exploitation.
Similarly, the developers of Chaes malware have released an update to their information stealer [5]. This update enhances the Chronod module, enabling it to effectively steal login credentials and intercept crypto transactions. Chaes malware is distributed through email lures with legal-themed content, primarily in Portuguese. It targets systems with JRE and uses X509Certificate for authentication [2]. Threat actors commonly use Discord webhook bots for stealer activities. This threat is expected to spread further [2], putting more users at risk.
Conclusion
The discovery of NS-STEALER and the updated Chaes malware highlights the evolving sophistication of information stealers. These threats pose significant risks to individuals and organizations, as they can collect sensitive data and compromise security. Mitigations should include regular software updates, strong email security measures, and user education to avoid falling victim to these types of attacks. As cybercriminals continue to develop and distribute such malware, it is crucial for cybersecurity professionals to stay vigilant and adapt their defenses accordingly.
References
[1] https://owasp.or.id/2024/01/22/ns-stealer-uses-discord-bots-to-exfiltrate-your-secrets-from-popular-browsers/
[2] https://www.infostealers.com/article/java-based-sophisticated-stealer-using-discord-bot-as-eventlistener/
[3] https://healsecurity.com/ns-stealer-uses-discord-bots-to-exfiltrate-your-secrets-from-popular-browsers/
[4] https://vulners.com/thn/THN:D50E1557FED2A13FB673767296D078FB
[5] https://thehackernews.com/2024/01/ns-stealer-uses-discord-bots-to.html
[6] https://www.thefunnier.net/ns-stealer-makes-use-of-discord-bots-to-exfiltrate-your-secrets-and-techniques-from-common-browsers/
