BluStealer Malware

Information collecting malware has gained a lot of popularity over the past few years. One of the primary reasons for this is the boom of cryptocurrency. Nowadays, these collectors go after cryptocurrency wallets, on top of the usual passwords, files, and cookies that they try to obtain. One of the latest projects belonging to the category of information stealers is the BluStealer Malware. While it has been active since the beginning of September, its activity appears to be on the rise – over 6,000 active copies were identified in mid-September. Needless to say, the criminals operating this malware are working hard to infect as many users as possible.

How is the BluStealer Malware Spread?

If the operators of this malware are like other cybercriminals, they are likely to rely on some of the most popular malware propagation channels:

• Fake downloads, typically promoted through misleading advertisements.
• Torrent trackers hosting game cracks, software activators and other pirated content.
• Social media spam through fake profiles and pages.
• Email spam containing malicious attachments or links.

The spam email campaign promoting the BluStealer Malware appears to rely on fraudulent delivery notifications. Users receive a message from a fake email claiming to be a representative of DHL, USPS, FedEx or another popular delivery service. The user is told that there is a pending payment/delivery, and they should check out the attachment for details. However, the attached file executes a script, which deploys the BluStealer Malware's binaries. 

How does the BluStealer Malware Work?

Once running, it will try to conceal its presence and work in the background. Naturally, the goal of the malware is to extract as much information as possible before it removes itself. The data it goes after includes:

• Autofill information from popular Web browsers.
• Cookies stored by Google Chrome and Mozilla Firefox.
• Cryptocurrency wallet software like Electrum, Jaxx, Bytecoin and others. 
• It scans the hard disk for specific file formats and compresses them to the Files.zip file. It goes after DOC, DOCX, XLSX, RTF, PDF and other documents.
• The criminals also are able to obtain clipboard data or grab screenshots.
• The BluStealer Malware appears to include a keylogger module as well. 

Once the data has been collected, the BluStealer Malware proceeds to transfer it to the attackers. To do this, it uses either an STMP transfer that appears to have been copied off of SpyEx, a spyware toolkit. The implant also features an alternative method of data transfer – a Telegram bot. The scope of BluStealer Malware's reach is not clear yet, so we advise all users to take precautions to keep their data safe. Using up-to-date antivirus software and applying the latest Windows patches is the best way to stay protected.