CYFIRMA analyzed malware known as "Angry Stealer", which is heavily advertised on platforms like Telegram, a repackaged version of the previously identified "Rage Stealer"
The dropper is a 32-bit Win32 executable written in .NET, which acts as the initial stage of the attack. Upon execution, it deploys two key payloads: "Stepasha.exe" and "MotherRussia.exe,
Stepasha.exe - The Info-Stealer:
Once deployed, "Stepasha.exe" begins an extensive data collection process. It targets sensitive information stored on the infected system, including browser data (passwords, cookies, autofill data), cryptocurrency wallets, VPN credentials, and system information.
The collected data is then packaged into a ZIP file and exfiltrated to a remote Telegram channel. This process leverages hardcoded credentials and bypasses SSL validation, ensuring the data reaches the attacker without interruption.
The malware incorporates techniques to avoid detection, such as tampering with file timestamps and ensuring only one instance runs at a time.
MotherRussia.exe - The Builder Tool:
This secondary payload acts as a builder, allowing the creation of additional malicious executables. The user provides specific inputs, such as bot tokens and chat IDs, which are then embedded into the generated executable.
The tool is likely designed for tasks related to remote desktop operations or bot interactions, making it easier for attackers to automate and scale their malicious activities.
Angry Stealer" is a direct descendant of "Rage Stealer," sharing the same codebase and functionality. This rebranding approach allows cybercriminals to market the same malware under different names, reaching new buyers and avoiding detection by reusing proven tactics.
The dropper was compiled in a .NET environment, likely within an isolated setup like Windows Defender Application Guard, suggesting that the developers took precautions to avoid detection during development.