A new malware has been identified that includes a keylogger, a bitcoin stealer, and a document uploader in one package. BluStealer, also known as a310logger, was discovered by a researcher in May.
BluStealer Malware
BluStealer’s core code is built-in VB, and the inner payloads are written in C# .NET. Both of these components differ in observed samples, indicating that its maker can alter each component separately.
- The majority of the code from the SpyEx project is reused in the VB core (first spotted in 2004). As a result, SpyEx strings are revealed in the first samples discovered in May.
- BluStealer can steal crypto wallet data, replace clipboard crypto addresses, find/upload document files, steal data via SMTP, leverage Telegram Bot API, and use anti-analysis/VM approaches.
- The.NET component is a credential stealer built with open-source C# hack tools ChromeRecovery, ThunderFox, firepwd, and StormKitty.
- Furthermore, the malware’s.NET Loader has been used by other malware families, including Oski Stealer, Snake Keylogger, Formbook, RedLine, and Agent Tesla.
The Vector of Infection
BluStealer is mostly disseminated through malspam campaigns; a considerable number of samples were found in a specific campaign that employed a unique.NET loader.
- The spam emails contained links to Discord’s Content Delivery Network (CDN), which was being used as a malware dissemination infrastructure.
- Two BluStealer malspam samples were discovered by researchers. One was a forgery of an English DHL invoice, while the other was a forgery of a Spanish message from the Mexican metal business General de Perfiles.
- Both samples included .iso attachments as well as download URLs. The accompanying messages claimed that the recipients needed to access the link and fill out details in order to address the problem with their shipment delivery.
BluStealer employs genuine services to evade detection, potentially posing a huge danger to security teams globally. Let us remain vigilant and ward this digital evil off!
To read more, please check eScan Blog
