‘Angry Stealer’ is a data-stealing malware that abuses Telegram

Hotstar in UAE
Hotstar in UAE

The “Angry Stealer” malware is being peddled on social media platforms. It is also being offered on messaging apps such as Telegram. The rebranded malware allows abusing Telegram API to steal data.

A rebranded version of Rage Stealer is being sold online

Identified by the CYFIRMA research team, the Angry Stealer malware is essentially an “info stealer” package. It is concerning to note that the malware appears to have been commoditized.

Threat actors are advertising the malware’s availability on multiple social media platforms, including Telegram. This significantly increases the number of potential attackers and the scope of the malware.

Angry Stealer reportedly targets a wide range of sensitive information datasets. It uses advanced techniques and rebranding tactics. Its attack strategy and processes seem similar to the Rage Stealer malware.

According to the security research team at CYFIRMA, Angry Stealer could be a rebranded version of the Rage Stealer malware. This is because there are a lot of similarities in the code, features, functions, and even behavior.

How does the Angry Stealer malware steal data?

Angry Stealer has two main components: “Stepasha.exe” and “MotherRussia.exe.” The creators have crafted the payload using .Net as a 32-bit Win32 executable.

Stepasha.exe attempts to steal sensitive information such as passwords, cookies, autofill information, cryptocurrency wallet details, system information, VPN credentials, Discord tokens, and more. This stolen data is then loaded onto Telegram’s APIs using integrated authentication credentials. This executable even bypasses SSL validation to ensure successful data exfiltration.

MotherRussia.exe, on the other hand, is designed to open up new pathways and snare more victims. In other words, this executable can generate custom malware. The security research team suggests this program could open up Remote Desktop sessions to spread.

Overall, after a successful infection, Angry Stealer begins a systematic and thorough collection of sensitive data. It appears to be going after popular web browsers. This could be because browsers have become a preferred location to store passwords and login credentials for multiple online services.

The research team has observed the Angry Stealer malware going after multiple browsers simultaneously. It persistently tries to extract passwords, credit card details, cookies, autofill data, bookmarks, running processes, screen captures, and system specifications.

The Angry Stealer malware takes precautions to evade detection. It prioritizes key folders and documents that might hold sensitive information. Moreover, the malware even collects the victim’s IP address, geographical location, and network-related data.

To combat this malware, system administrators would have to adopt a multi-layered security approach. Properly segregating networks can limit the malware’s lateral movement. The malware seems to be spreading through multiple techniques, largely involving human error, oversight, and negligence. Hence, deploying robust security programs and keeping them updated is critical to combat the Angry Stealer malware.

2024-09-04 15:07:42