CovalentStealer is a malware threat that was part of the threatening tools deployed in an attack against a US organization operating in the Defense Industrial Base sector. The goal of the threat actors was to obtain confidential and sensitive data from their target. The other payloads dropped on the breached devices included Impacket, an open-source collection of Python classes, the HyperBro RAT and ChinaChopper Web shells.
When fully executed, CovalentStealer can identify file shares on the infected system, categorize the files, and then exfiltrate the chosen data to a remote server under the control of its operators. The threat stores the harvested files on OneDrive. CovalentStealer also can extract the Master File Table associated with NT File System volumes. The capabilities of the threat extend beyond the collection of data, though. The threat actors also could utilize CovalentStealer to encrypt or decrypt the transferred data, as well as secure their overall communication.
Details about the cybercriminal operation were revealed in a joining advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA). The agencies state that they believe the threat actors to be an APT (Advanced Persistent Threat) group, that has had access to the victim's internal environment for a prolonged time.