- 33
- 2
Rapid7 specialists have discovered a new malware called SantaStealer , which is being actively promoted on Telegram channels and hacker forums. The malware is marketed as running exclusively in RAM, which should theoretically help it evade detection by traditional security solutions.
The investigation revealed that SantaStealer is a rebranded version of the BluelineStealer project. The malware's developer, presumably Russian, plans to officially launch the service by the end of this year. Potential SantaStealer customers are currently offered two subscription options: a basic one for $175 per month and a premium one for $300 per month.
The researchers report that they were able to access the service's administrative panel and analyze several malware samples. The findings were unexpected: despite the creators' lofty claims about the stealer's difficulty of detection, actual samples turned out to be far from perfect. For example, the malware contains unencrypted strings, does not use obfuscation, and contains original names of functions and global variables, which significantly simplifies analysis.
[td]"Leaking samples at such an early stage of development, when unencrypted data still remains in the code, is a serious operational error that can negate a significant portion of the developers' efforts and indicates a low level of their operational security," the researchers noted.[/td]According to Rapid7, SantaStealer is equipped with 14 specialized data collection modules, each running in a separate thread. The malware is capable of stealing browser passwords, cookies, browsing history, and saved bank card details. It also steals accounts on Telegram and Discord messengers, the Steam gaming platform, and cryptocurrency wallet information and browser extensions. Furthermore, the stealer can create screenshots of the victim's desktop and copy user documents.
The stolen data is written to memory, packaged into a ZIP archive, and sent to the attackers' command and control server in 10 MB chunks via port 6767.
Furthermore, SantaStealer is reported to have a mechanism to bypass the relatively new App-Bound Encryption security system in the Chrome browser, which was introduced in the summer of 2024.
The malware control panel offers flexible settings for the malware builds created, from the most aggressive versions that steal everything, to highly specialized variants targeting specific types of data. Other options include the ability to exclude computers from CIS countries from the target list, as well as a delayed launch function designed to complicate analysis.
While SantaStealer is still unfinished and has not yet been widely deployed, experts speculate that in the future, attackers may use the popular ClickFix attack technique, which tricks victims into copying and executing malicious commands in the Windows command line. Classic malware delivery methods also remain popular: phishing emails, pirated software, torrent trackers, malicious advertising, and YouTube comments.
The investigation revealed that SantaStealer is a rebranded version of the BluelineStealer project. The malware's developer, presumably Russian, plans to officially launch the service by the end of this year. Potential SantaStealer customers are currently offered two subscription options: a basic one for $175 per month and a premium one for $300 per month.
The researchers report that they were able to access the service's administrative panel and analyze several malware samples. The findings were unexpected: despite the creators' lofty claims about the stealer's difficulty of detection, actual samples turned out to be far from perfect. For example, the malware contains unencrypted strings, does not use obfuscation, and contains original names of functions and global variables, which significantly simplifies analysis.
The stolen data is written to memory, packaged into a ZIP archive, and sent to the attackers' command and control server in 10 MB chunks via port 6767.
Furthermore, SantaStealer is reported to have a mechanism to bypass the relatively new App-Bound Encryption security system in the Chrome browser, which was introduced in the summer of 2024.
The malware control panel offers flexible settings for the malware builds created, from the most aggressive versions that steal everything, to highly specialized variants targeting specific types of data. Other options include the ability to exclude computers from CIS countries from the target list, as well as a delayed launch function designed to complicate analysis.
While SantaStealer is still unfinished and has not yet been widely deployed, experts speculate that in the future, attackers may use the popular ClickFix attack technique, which tricks victims into copying and executing malicious commands in the Windows command line. Classic malware delivery methods also remain popular: phishing emails, pirated software, torrent trackers, malicious advertising, and YouTube comments.