The malware known as AsukaStealer has been updated into a powerful and dangerous tool that was being advertised as malware-as-a-service. It is capable of collecting a wide range of data from desktop screenshots, Steam Desktop Authenticator application, FileZilla sessions, Telegram sessions, Discord tokens, browser extensions, and even cryptocurrency wallets. This upgraded version of the ObserverStealer was spotted being marketed on a Russian-language forum as a MaaS, providing a extensive list of features meant to steal confidential data from the targets.
The AsukaStealer is written in C++ and comes with flexible options and a web-based control panel. Interestingly, the malware authors or developers behind AsukaStealer used the same Command & Control (C&C) infrastructure to host AsukaStealer and ObserverStealer.
The C&C panels of AsukaStealer and ObserverStealer share remarkably similar features. This suggests that the same threat actors are likely behind the creation and management of both stealer malware.
On February 2, 2024, the Cyble Research & Intelligence Labs (CRIL) discovered this new malware-as-a-service (MaaS) called “AsukaStealer”. The version 0.9.7 of the web panel was being offered for $80 per month on a Russian-language cybercrime forum. Moreover, on January 24, 2024, AsukaStealer was also being marketed on another well-known Russian forum under an alternate pseudonym.
This malware is much more than just a simple data stealer. It is equipped with an array of functional features that make it a particularly dangerous tool in the hands of cybercriminals. It can collect browser data, Discord tokens, FileZilla sessions, Telegram sessions, and Steam files. It also has the ability to capture desktop screenshots and collect cryptocurrency wallet files. Furthermore, the configuration of AsukaStealer is highly customizable, with various settings for browsers, file grabbers, extensions, and more.
The AsukaStealer’s C&C infrastructure has been identified as a substantial threat. The same threat actors involved with this malware have prominently offered both AsukaStealer and ObserverStealer on crime forums. The switch to advertising AsukaStealer instead of ObserverStealer demonstrates the intention of the malicious actors to capitalize on this new version of the malware.
This malware has caught the attention of reputable security companies like Symantec, which has categorized the threat as File-based (Infostealer Trojan.Gen.MBT), Machine Learning-based (Heur.AdvML.B), and Web-based. All products with WebPulse enabled have placed the observed domains and IPs under security categories.
Furthermore, it has been noted that the threat actors behind the AsukaStealer and ObserverStealer have substantial proficiency in the field of malware development and are capable of creating a sizable C&C infrastructure to offer their service to the underground communities. Ultimately, this reflects the enduring trend of malicious actors offering malware-as-a-service (MaaS) to generate substantial profits.
To protect networks from malware like AsukaStealer and ObserverStealer, companies are encouraged to invest in robust cybersecurity solutions like Perimeter81 malware protection. These types of malware are incredibly harmful and have the potential to cause extensive damage to a network if not properly defended against.
In summary, the emergence of AsukaStealer highlights the increasing sophistication and dangers associated with modern malware-as-a-service. This development underscores the evolving tactics and capabilities of cybercriminals, making it more important than ever to invest in robust cybersecurity measures to mitigate the threat posed by these types of malicious tools.