Akira Stealer

Akira is an information-stealing malware available on a dedicated website, operating as a Malware-as-a-Service (MaaS) under the name 'Akira Undetector.' This web platform offers a user-friendly interface for generating new instances of the stealer binary, complete with detailed instructions on how to employ the malware effectively. It makes use of a Telegram channel for updates and command-and-control capabilities.

This versatile malware is proficient at extracting data from web browsers, including saved login credentials and payment card information. Additionally, it conducts a thorough system-wide scan to collect various data points, such as usernames, system identifiers, hardware specifications, installed software listings, and network configurations. The stolen information is subsequently uploaded to the threat actor's account on the 'GoFile' online storage management service and their Discord instant messaging account.

Intrusive Capabilities Observed in the Akira Stealer

The Akira Stealer employs a complex infection process with multiple layers to obfuscate its code and elude detection. The threat actor leverages various platforms for their operations, including Telegram, a Command and Control (C2) server, and GitHub. Moreover, the threat actor boldly claims that their malware is 'Fully Undetectable' (FUD). They maintain a Telegram channel named 'Akira' with approximately 358 subscribers and offer their services through a Malware-as-a-Service domain.

Researchers conducted an analysis of an Akira Stealer file named '3989X_NORD_VPN_PREMIUM_HITS.txt.cmd.' This file was a CMD script containing obfuscated code. Upon execution, it deposited a hidden.bat batch file in the current working directory, which also managed to evade detection. This batch file contained an obfuscated PowerShell script that integrated the tmp.vbs file for execution using the csscript.exe process.

In terms of data theft, the malware establishes a folder with the name of the compromised PC to store the pilfered information. Subsequently, it initiates data extraction from various web browsers, including Microsoft Edge, Google Chrome, Opera, Mozilla Firefox, and 14 other browsers.

Additionally, the stealer is proficient in targeting financial data, encompassing saved credit card details and login credentials. It also gathers bookmark data, wallet extension information, captures screenshots, and much more.

An Info-Stealer Malware may Cause Severe Consequences for Victims

Akira is a malicious information-stealing malware operating on the Malware-as-a-Service (MaaS) model, a particularly perilous form of malware capable of inflicting significant harm on both organizations and individual users. It is actively propagated through a dedicated web portal. It employs a Telegram channel for distribution, all the while discreetly exfiltrating a wealth of sensitive data from compromised systems, evading detection.

Threat actors continually adapt their techniques to maintain long-term undetectability, rendering their malevolent creation versatile and providing them with efficient control over infected systems. Regular updates conveyed through the Telegram channel serve to further empower cybercriminals in pursuing their malicious agendas.

The most effective approach for safeguarding against the Akira Stealer involves exercising vigilance when dealing with suspicious links and email attachments. It is imperative for users to recognize that even seemingly trustworthy sources can serve as conduits for infection and data theft. Fortifying system, network, and application security can substantially mitigate the risk of infection. Equally vital is the utilization of up-to-date anti-malware software in conjunction with adaptive organizational security policies to ensure robust protection.