NS-STEALER uses Discord Bots to exfiltrate your secrets from popular browsers

NS-STEALER uses Discord Bots to exfiltrate your secrets from popular browsers

Cybersecurity researchers have discovered a new Java-based ‘advanced’ information thief that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, called NS-STEALERis distributed via ZIP archives masquerading as cracked software, says Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains a rogue Windows shortcut file (“Loader GAYve”), which acts as a conduit to deploy a malicious JAR file that first creates a folder named “NS-<11-digit_random_number>” to store the collected data.

In this folder, the malware then stores screenshots, cookies, login and autofill data stolen from more than twenty web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated into a Discord Bot channel.

“Given its highly advanced feature of collecting sensitive information and using X509Certificate to support authentication, this malware can quickly steal information from the victim systems with [Java Runtime Environment]said Ramanathan.

“The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective.”

The development comes as the threat actors behind the Chaes malware (also known as Chae$) have released an update (version 4.1) for the information stealer with improvements to the Chronod module, which is responsible for stealing credentials that are entered into web browsers and intercepting crypto transactions. .

Infection chains that spread the malware, per Morphisecuse legal-themed email lures written in Portuguese to trick recipients into clicking on fake links to deploy a malicious installer to activate Chae$ 4.1.

But in an interesting twist, the developers also left messages for security researcher Arnold Osipov – who has analyzed Chaes extensively in the past – expressing their gratitude for their help in improving their ‘software’ directly in the source code.



#NSSTEALER #Discord #Bots #exfiltrate #secrets #popular #browsers

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
52% of the serious vulnerabilities we find are related to Windows 10

52% of the serious vulnerabilities we find are related to Windows 10

Next Post
Location

FTC bans InMarket from selling precise user locations without consent

Related Posts