A brand new info stealer known as SantaStealer has emerged as a critical risk to Home windows customers worldwide.
This malware-as-a-service instrument is being aggressively marketed by means of Telegram channels and underground hacker boards, with plans for full launch earlier than the top of 2025.
The malware represents a rebranding of the sooner BluelineStealer, reflecting the evolving nature of the cybercrime panorama and the continual improvement of subtle stealing instruments designed to reap delicate person info.
The stealer’s capabilities are in depth and well-organized. SantaStealer collects and exfiltrates delicate paperwork, person credentials, cryptocurrency pockets knowledge, and knowledge from a broad vary of purposes.
A Telegram message from November twenty fifth promoting the rebranded SantaStealer (Supply – Rapid7)
The malware operates completely in reminiscence to keep away from file-based detection, a essential characteristic for evading conventional safety options.
As soon as collected, all stolen knowledge is compressed, break up into manageable 10 MB chunks, and despatched to a command-and-control server by means of unencrypted HTTP connections.
The builders declare the malware is absolutely written in C with a customized polymorphic engine and full anti-detection capabilities.
Nonetheless, Rapid7 researchers recognized unobfuscated and unstripped SantaStealer samples that present an in-depth have a look at the malware’s precise sophistication degree.
Their evaluation reveals vital operational safety weaknesses within the risk actors’ strategy.
In-Reminiscence An infection and Browser Credential Theft
Analysts detected the malware after discovering a Home windows executable that triggered generic information-stealer detection guidelines usually related to the Raccoon stealer household.
The preliminary evaluation of a 64-bit DLL containing over 500 exported symbols with extremely descriptive names, reminiscent of “payload_main” and “check_antivm,” shortly uncovered the malware’s credential-stealing capabilities.
The technical implementation demonstrates a modular design the place SantaStealer performs digital machine detection earlier than executing its most important payload.
A very subtle side includes stealing browser credentials from Chromium-based browsers by bypassing App-Certain Encryption.
The malware achieves this by embedding and executing a specialised instrument known as ChromElevator, which employs direct syscall-based reflective course of hollowing to inject code into respectable browser processes.
This system permits the stealer to decrypt AppBound encryption keys and entry saved credentials with out elevating rapid suspicion.
The stolen knowledge undergoes compression in reminiscence and is exfiltrated over plain HTTP to hardcoded command-and-control servers on port 6767.
Pricing mannequin for SantaStealer (Supply – Rapid7)
Pricing for the malware-as-a-service ranges from $175 month-to-month for primary performance to $300 for premium options, together with customized implementation choices and file binding capabilities.
A listing of options (Supply – Rapid7)
Safety professionals ought to stay vigilant towards unrecognized e-mail attachments and suspicious obtain hyperlinks that will ship this rising risk.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
