HQ/EMEAFind out how we can help your business
The new Java-based information-stealing malware, NS-STEALER, has emerged and leverages Discord bots to exfiltrate sensitive data from compromised systems discreetly. Based on reports, an independent, comprehensive analysis published last week revealed the sophisticated techniques employed by this malicious software.
The propagation of NS-STEALER starts with deceptive ZIP archives posing as cracked software. In addition, the malware operators hide the infostealer in a rogue Windows shortcut file known as “Loader GAYve.”
This deceptive shortcut acts as a gateway that could initiate the deployment of a malicious JAR file. Once activated, the malware generates a folder named “NS-<11-digit_random_number>” to store the stolen data covertly.
NS-STEALER could harvest various essential details that could pose a threat to potential victims.
According to investigations, NS-STEALER goes beyond mere data theft since it can collect sensitive information.
Some confirmed details this infostealer could harvest include screenshots, cookies, credentials, autofill data from over two dozen web browsers, system details, installed program lists, Discord tokens, and Steam and Telegram session data. The malware could execute the exfiltration of this information to a Discord Bot channel.
In addition, the malware’s sophistication comes from using X509Certificate to support authentication. With its reliance on the Java Runtime Environment, NS-STEALER could quickly extract information from victim systems.
On the other hand, the developers of the Chaes malware, also known as Chae$, have updated their infostealing tool. Version 4.1 of Chae$ includes upgrades to its Chronod module, which collects login credentials from web browsers and captures cryptocurrency transactions.
Intriguingly, the infection chains delivering NS-STEALER leverage legal-themed email lures in Portuguese. The primary objective of these deceptive emails is to trick recipients into clicking on fraudulent links, deploying a malicious installer that activates Chae$ 4.1.
The developers of Chaes have left messages within the source code, expressing gratitude to a security researcher who extensively analysed the malware in the past for helping them improve their “software.”
The discovery of NS-STEALER is the latest example of malware developers improving their malicious tools to leverage advanced techniques. Therefore, security providers should also improve their services to remain ahead of these evolving threats.
