Threat Database Malware SapphireStealer Malware

SapphireStealer Malware

Multiple groups employ an open-source information-collecting malware called SapphireStealer, built on the .NET framework, to bolster their capabilities and create customized versions. Cybersecurity experts reveal that information-collecting malware such as SapphireStealer is employed to acquire critical data, including corporate login credentials. These ill-gotten credentials are frequently sold to other ill-minded actors who exploit them to launch further attacks, ranging from espionage to ransomware and extortion operations.

This type of malware not only signifies the advancement of the cybercrime-as-a-service (CaaS) model but also provides opportunities for other fraud-related actors to profit from the pilfered data by facilitating ransomware distribution, carrying out data theft, and engaging in various other nefarious cyber activities.

SapphireStealer Captures Various Sensitive Information from Compromised Devices

SapphireStealer, a .NET-based information-collecting malware, possesses a straightforward yet effective feature set designed for extracting sensitive data from compromised systems. Its capabilities include:

  • Gathering host information.
  •  Capturing screenshots.
  •  Harvesting cached browser credentials.
  •  Identifying and targeting specific files on the infected system based on predefined file extensions.

Upon its initial execution, the malware conducts a check to determine the presence of any active browser processes on the system. It scans the list of currently running processes for matches with the following process names: chrome, yandex, msedge and Opera. If any matching processes are found, the malware employs the Process.Kill() method to terminate them.

Furthermore, the malware utilizes a hard-coded list of file paths to detect the existence of credential databases associated with approximately 15 different Web browsers, including Chrome, Opera, Yandex, Brave Browser, Microsoft Edge, Atom Browsers and more.

Subsequently, SapphireStealer endeavors to capture a screenshot from the compromised system, saving it in the same working directory under the filename 'Screenshot.png.' To expand its data collection efforts, the malware triggers a file grabber component, aiming to locate files within the victim's Desktop folder that match a predefined list of file extensions.

Finally, the pilfered data is transmitted to the attacker via the Simple Mail Transfer Protocol (SMTP), with the required credentials being specified within the code responsible for composing and sending the message.

SapphireStealer Variants Are Being Actively Developed by Cybercriminals

SapphireStealer resembles numerous other data-collecting malware strains that have become increasingly prevalent on the Dark Web. However, what sets it apart is the fact that its source code was openly released for free in late December 2022. This has empowered fraud-related actors to experiment with the malware, making it considerably more challenging to detect. As a result, they have introduced adaptable data exfiltration methods, such as leveraging a Discord webhook or the Telegram API.

Numerous variations of this threat have already surfaced in the wild, with threat actors continually refining their efficiency and effectiveness over time.

Additionally, the malware author has made public a .NET malware downloader, codenamed FUD-Loader, which allows for the retrieval of additional binary payloads from servers controlled by attackers. This downloader has already been observed in action, delivering Remote Access Trojan (RAT) threats like DCRat, njRATDarkComet and Agent Tesla.


Most Viewed