This rebranded malware digs deep into your data leveraging Telegram API for data exfiltration

Cyber threats continue to evolve and one of the latest emerging threats identified by CYFIRMA research team is the Angry Stealer malware.

This info-stealer has been discovered to be actively advertised across various online platforms, including Telegram, which broadens its reach making it available to a wide audience of potential attackers.

Angry Stealer is a sophisticated malware that targets a wide range of sensitive information using advanced techniques and rebranding tactics. It is based on the previously identified Rage Stealer, sharing almost identical code, behavior, and functionality.

Stepasha.exe and MotherRussia.exe payloads raid any system

Angry Stealer is deployed through a dropper binary, a 32-bit Win32 executable written in .NET, designed to execute two main payloads: “Stepasha.exe” and “MotherRussia.exe.” The primary payload, Stepasha.exe, functions as the core of the Angry Stealer operation, focusing on stealing sensitive information. This includes browser data (passwords, cookies, and autofill information), cryptocurrency wallet details, system information, VPN credentials, Discord tokens, and more. The data is then exfiltrated to a remote server via Telegram, using hardcoded credentials and bypassing SSL validation to ensure successful data transmission.

The secondary payload, MotherRussia.exe, serves as a tool for creating further malicious executables. This builder tool allows attackers to generate custom malware, potentially facilitating remote desktop access or additional bot interactions. The dual-payload approach not only broadens the scope of data theft but also enables the creation of bespoke malicious software tailored to specific targets or attack scenarios.

Upon execution, Angry Stealer infiltrates a victim’s computer and begins a systematic collection of sensitive data. It specifically targets popular web browsers using a multi-threaded approach, allowing it to gather data from multiple browsers simultaneously, extracting passwords, credit card details, cookies, autofill data, bookmarks, running processes, screen captures, and system specifications. The malware organizes this stolen data into a designated directory located at C:\Users\Username\AppData\Local\44_23, where it creates subdirectories for different types of information.

Once the browser paths have been scanned to collect valuable information, the malware imposes size limits on the files it copies to avoid detection. Additionally, Angry Stealer is capable of accessing user files from key directories such as Desktop and Documents, focusing on documents and personal data that may be of interest to attackers.

Furthermore, it can determine the system’s IP address, geographical location, and network-related data – providing attackers with comprehensive information about the victim’s environment. This data collection capability allows attackers to tailor their subsequent actions based on the specific characteristics of the infected system.

To effectively combat the threat posed by Angry Stealer and similar malware, organizations should implement a multi-layered security approach. Key strategies include deploying robust endpoint security solutions capable of detecting and blocking malicious activities associated with info stealers, and ensuring that operating systems, applications, and security software are regularly updated to patch vulnerabilities that could be exploited.

Additionally, implementing network segmentation can help limit the movement of malware within the network, reducing the risk of widespread data theft. Organizations should also conduct comprehensive employee training programs to raise awareness about phishing threats and safe online practices. Finally, having an up-to-date incident response plan is crucial for quickly addressing potential malware infections, minimizing damage, and facilitating the recovery of affected systems.