Ailurophile Stealer: A New Infostealer Emerges with Customizable Malware Stubs
On August 16, 2024, G DATA released a detailed blog post highlighting the emergence of a new info stealer named "Ailurophile Stealer." The malware, developed in PHP, exhibits unique characteristics, particularly its customization options available through a subscription-based web panel.
On August 16, 2024, G DATA released a detailed blog post highlighting the emergence of a new info stealer named "Ailurophile Stealer." The malware, developed in PHP, exhibits unique characteristics, particularly its customization options available through a subscription-based web panel. The stealer's origins appear to trace back to Vietnam, inferred from the code's structure and certain linguistic elements. The malware's sophisticated design and the ease of access its creators provide pose a significant threat to users and organizations.
Report Overview
G DATA researchers were the first to identify the Ailurophile Stealer actively circulating in the wild. The stealer is accessible via a dedicated webpage where users can subscribe and customize the malware stubs. The malware's source code is entirely written in PHP, a choice that requires additional measures to ensure execution on victim machines, as PHP is not typically used in this context.
The Ailurophile Stealer is packaged into an executable using commercially available tools like ExeOutput and BoxedApp. These tools convert the PHP code into a self-contained executable that can run on Windows systems. The BoxedApp software virtualizes the application, creating a virtual file system, registry, and processes, which aids in evading detection.
The web panel associated with the Ailurophile Stealer offers various customization options, including:
- Naming the Malware: Users can choose a name for their customized malware stub.
- Icon Selection: The stub's icon can be customized to appear less suspicious.
- Notification Configuration: Users can set up a Telegram channel to receive notifications once the malware has successfully stolen data.
Higher-tier subscribers gain access to advanced features such as disabling Windows Defender, delivering additional malicious payloads, and selecting specific directories and file types for exfiltration. The malware's functionality is split into several modules, each handling different aspects of data theft, including:
- GetAutoFill.php: Steals auto-fill information from browsers.
- GetPassword.php: Extracts stored passwords from browser databases.
- GetCookie.php: Collect cookies from various browsers.
- GetHistory.php: Harvests browsing history.
- GetFile.php: Scours specified directories for sensitive files based on keywords and extensions.
- GetTelegram.php: Targets Telegram data, excluding certain subfolders to avoid detection.
- CryptoWallet.php: Targets data from browser-based cryptocurrency wallets.
Insights and Analysis
The potential impact of the Ailurophile Stealer is extensive, as it targets a wide range of personal and financial information stored within browsers, including passwords, credit card details, cookies, and cryptocurrency wallet data. The stolen data is then archived and uploaded to a remote server, with a report sent to a designated Telegram channel, ensuring that the attacker is promptly informed of the theft's success.
The stealer's ability to disable Windows Defender, provided the user has administrator privileges, and to deploy additional malicious payloads, significantly increases the threat level. The malware's ongoing development, as evidenced by variations in samples and configuration files, indicates it is actively being enhanced, likely making it more dangerous over time.
Users and organizations are advised to remain vigilant, particularly regarding suspicious software downloads, which could serve as vectors for this malware. Regular updates to security software, monitoring unusual system behaviour, and implementing robust security policies are crucial in mitigating the risk posed by such threats.
In summary, the emergence of Ailurophile Stealer highlights the continuous evolution of cyber threats. As this malware is actively being developed, it is essential to stay informed about its capabilities and the methods it spreads to better protect sensitive information from theft.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| 4d38d7c7161ccb08998f90079a565f32a296f1bf404001b9e6bbc4d4558d53fd | SHA-256 Hash | Hash of a known Ailurophile Stealer sample |
| e04dbe0de745fc8026710034af6a00fc8dc38569440ce8ebebe74cd4dc0a6dc5 | SHA-256 Hash | Hash of another Ailurophile Stealer sample |
| C:\Users\muser\Desktop\Data\php.exe | File Path | Path where the PHP interpreter is executed by the malware |
| %LOCALAPPDATA%\Ailurophile\ | File Path | Directory used to store stolen data and other components |
| %APPDATA%\Telegram Desktop\tdata\ | File Path | Directory targeted for stealing Telegram data |
MITRE ATT&CK Framework
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | The malware may be delivered via spearphishing emails containing malicious attachments. |
| Persistence | Create or Modify System Process | T1543.003 | The malware uses BoxedApp to create a virtualized process to maintain persistence. |
| Defense Evasion | Disable or Modify Tools | T1562.001 | Disables Windows Defender using PowerShell commands to evade detection. |
| Credential Access | Credentials from Web Browsers | T1555.003 | Steals credentials stored in web browsers, including passwords and cookies. |
| Exfiltration | Exfiltration Over Web Service | T1567.002 | Exfiltrates stolen data via a web service, uploading it to a remote server. |
| Impact | Data Destruction | T1485 | Uses the taskkill.exe utility to terminate processes and potentially destroy data. |
References
Banu Ramakrishnan
Comments ()