Saintstealer is a C# .NET-based malware, designed to capture and exfiltrate various confidential data from compromised systems. The threat is capable of siphoning account credentials, system information, credit/debit card number and other sensitive information. Details about Sainstealer were revealed to the public in a report by security researchers.
Attributed to the Saint cybercriminal gang, the information stealer is dropped onto breached devices as a 32-bit executable file named 'saintgang.exe.' Before activating its primary functionality, Sainstealer performs several checks for signs of virtualization and sandbox environments. If the anti-analysis checks detect something fishy, the threat will terminate its execution.
However, once established on the device, Saintstealer will begin capturing a wide range of data by taking arbitrary screenshots, gathering passwords, accessing cookies, and reading the autofill data saved in Chromium-based browsers (Google Chrome, Edge, Opera, Brave, Vivaldi, Yandex and more). The threat also may acquire Discord multi-factor authentication tokens, collect various file types (.doc, .docx, .txt, etc.), and extract information from certain applications, such as VimeWorld and Telegram. Sainstealer also may acquire certain information from multiple VPN applications, including NordVPN, OpenVPN and ProtonVPN.
All obtained data will be compressed and stored in a password-protected ZIP file. The collected information will then be exfiltrated to a Telegram account under the control of the cybercriminals. At the same time, the metadata related to the exfiltrated information will be transmitted to a remote Command-and-Control (C2, C&C) server. It should be noted that the IP address linked to the C2 domain of the operations has been previously linked to multiple other stealer families, some of which include Predator Stealer, Nixscare Stealer, QuasarRAT and BloodyStealer.