The SapphireStealer malware, built on the .NET framework, has emerged as a significant threat in the cyber landscape, with multiple entities using it to enhance their operations and create customized versions.
Additionally, this information-stealing malware has the potential to acquire sensitive data, including corporate credentials, which are often sold to other threat actors for various malicious purposes, such as espionage or ransomware attacks. The malware’s source code being published freely in late 2022 has allowed malicious actors to experiment with it, making detection more challenging. The malware’s capabilities include gathering host information, browser data, files, and screenshots, then exfiltrating the stolen data as a ZIP file via Simple Mail Transfer Protocol (SMTP).
Cisco Talos researcher Edmund Brumaghin underscores the broader ecosystem that has developed around such malware, enabling both financially motivated cybercriminals and nation-state actors to utilize the stolen data for a range of cyber attacks. The malware’s evolving variants and its adaptability to new exfiltration methods, like using Discord or Telegram APIs, make it a formidable tool in the hands of cybercriminals.
Furthermore, the malware author has shared a .NET malware downloader, called FUD-Loader, which aids in retrieving additional binary payloads for attacks. Talos has identified this downloader being used to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.
This development comes after Zscaler’s disclosure of another stealer malware, Agniane Stealer, which can steal credentials, system information, and session details from various platforms, including browsers, Telegram, Discord, and file transfer tools, as well as data from cryptocurrency extensions and wallets.
Sold for $50 a month on dark web forums and a Telegram channel, this highlights the growing trend of malware-as-a-service, where cybercriminals can access powerful tools for a fee. The rapid evolution and sophistication of such malware underscore the need for continuous vigilance and robust cybersecurity measures to counter these evolving threats.
