Braodo Stealer (Infostealer) – Malware

Overview

The emergence of advanced malware threats continues to challenge cybersecurity measures across the globe, with Braodo Stealer standing out as a particularly sophisticated and dangerous variant. First identified in early 2024, Braodo Stealer is a Python-based information stealer primarily targeting users in Vietnam, although its reach extends to numerous countries, including the United States, the Czech Republic, Germany, the Netherlands, Singapore, and the United Kingdom. This malware exemplifies the evolving tactics of cybercriminals, leveraging phishing and spear-phishing techniques to compromise victims and exfiltrate sensitive information. What sets Braodo Stealer apart is its utilization of modern technologies for both distribution and data collection. The malware exploits platforms like GitHub and a Singapore-based Virtual Private Server (VPS) to host its malicious code, indicating a well-structured operational approach by the threat actors behind it. The VPS infrastructure is particularly noteworthy, as it has previously hosted websites mimicking Vietnamese government sites, highlighting a possible attempt to build trust and increase the effectiveness of the malware’s deployment. This strategic choice not only facilitates the distribution of the malware but also underscores the sophisticated planning involved in its development.

Targets

Individuals

How they operate

Infiltration and Delivery Mechanisms

Braodo Stealer primarily spreads through phishing and spear-phishing emails, leveraging social engineering tactics to trick users into executing malicious files. The malware is hosted on multiple GitHub repositories, with a notable reliance on a Singapore-based Virtual Private Server (VPS). This infrastructure not only serves to distribute the malware but also to obfuscate its origin, making detection more challenging for security systems. The phishing attempts often contain batch scripts, PowerShell commands, or executable files, which, once executed, initiate the malware’s payload. Upon execution, Braodo Stealer downloads a second-stage payload hosted on GitHub. The initial downloader scripts, often obfuscated, reveal additional servers associated with the threat actors. Once the malicious code is executed, it triggers a series of commands that ensure the malware establishes persistence by adding itself to the Windows Startup folder. This persistence mechanism guarantees that the malware remains active even after system reboots.

Data Exfiltration Techniques

One of the most concerning aspects of Braodo Stealer is its ability to collect a wide range of sensitive data. The malware specifically targets web browsers, including Chrome, Firefox, Edge, and others, to extract stored credentials, cookies, and other sensitive information. Once the malware identifies the browser data, it uses a multi-threaded approach to execute various functions concurrently, ensuring efficient data collection from multiple browsers. The collected data is then compressed and exfiltrated through Telegram bots, a method that helps mask the communication channels from traditional security monitoring tools. The use of Telegram for data exfiltration not only facilitates real-time transmission but also enhances anonymity, making it more difficult for investigators to trace the data back to the threat actors.

Obfuscation and Evasion Techniques

To evade detection by antivirus solutions and security frameworks, Braodo Stealer employs advanced obfuscation techniques. The malware’s scripts often appear as gibberish when analyzed, due to the insertion of specific byte sequences that alter their representation in the operating system. By obscuring the original content, Braodo Stealer increases the difficulty of detection, allowing it to operate undetected for extended periods. Moreover, the malware employs a mechanism that dumps all running processes into a text file, which aids in monitoring system activity and evading suspicious behaviors that could alert security measures. This operational stealth is a hallmark of modern malware, as threat actors continuously refine their strategies to counteract cybersecurity defenses.

Conclusion

The technical operations of Braodo Stealer highlight a growing trend in cybercrime: the use of sophisticated, multi-layered approaches to execute and sustain malware attacks. By leveraging obfuscation, data exfiltration via Telegram, and the manipulation of phishing tactics, Braodo Stealer poses a significant threat to individual users and organizations alike. As such, it is imperative for users to adopt vigilant cybersecurity practices, including awareness of phishing attempts, regular software updates, and robust password management, to defend against such evolving threats. The implications of Braodo Stealer’s operational tactics underscore the importance of continued research and development in the field of cybersecurity to mitigate the risks posed by advanced malware.

MITRE Tactics and Techniques

Execution (TA0002)

T1059: Command and Scripting Interpreter T1064: Scripting

Persistence (TA003)

T1547.001: Startup Folder

Credential Access (TA006)

T1555.003: Credentials from Web Browsers T1606.001: Web Cookies

Discovery (TA007)

T1057: Process Discovery T1083: File and Directory Discovery

Collection (TA009)

T1005: Data from Local System

Exfiltration (TA0010)

T1041: Exfiltration Over C2 Channel

Command and Control (TA0011)

T1071.001: Web Protocols  

References:

• Braodo Info Stealer Targeting Vietnam and Abroad