SapphireStealer is an open-source information stealer that may be utilized for obtaining sensitive information, such as corporate credentials, which are frequently sold to other threat actors who utilize the access for further attacks, such as espionage or ransomware/extortion schemes.
On December 25, 2022, the codebase for SapphireStealer was made available on GitHub. According to Cisco Talos researchers, beginning in mid-January 2023, newly created SapphireStealer versions started appearing in public malware repositories.
Presently, many threat actors are using this malware codebase. This danger already exists in many forms, and threat actors constantly enhance its potency and efficacy.
The Working of SapphireStealer
Information-stealing malware dubbed SapphireStealer was created in .NET. It provides simple yet efficient functionality capable of stealing private data from compromised systems, such as:
Host information.
Screenshots.
Cached browser credentials.
Files stored on the system that match a predefined list of file extensions.
It initially checks to see whether any browser processes are currently active on the system. It searches the list of active processes for any processes with names that correspond to the list, such as Chrome, Yandex, msedge, and Opera.
The malware employs Process.Kill() to end any matching processes if it finds them. The malware checks for the existence of credential databases for the browser apps using a hard-coded list of paths.
“The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt”, researchers said.
The malware then takes a snapshot of the system and saves it in a file within the same working directory.
The attacker compromises the system by sending the data through a Simple Mail Transfer Protocol (SMTP).
“As this malware is open-source and being used by multiple distinct threat actors, much of this development activity has occurred independently and new functionality is not present in sample clusters associated with other threat actors”, according to the information shared with Cyber Security News.
The malware creator has also made available a.NET malware downloader with the codename FUD-Loader, which enables the retrieval of additional binary payloads from distribution servers under the attacker’s control.
Researchers observed that this downloader was used to spread various other malware across 2023, including DcRat, njRAT, DarkComet, AgentTesla, and more.