Cybercriminals have embraced the use of an open-source infostealer called “SapphireStealer” to carry out data theft attacks, leading to the democratization of the cybercrime landscape. After being published by a Russian-language hacker named Roman Maslov last year, hackers have been adopting SapphireStealer, making modifications, and releasing new versions into public repositories. This trend has created a feedback loop where the malware becomes stronger and attracts more attackers, potentially resulting in more dangerous consequences.
Edmund Brumaghin, a threat researcher for Cisco Talos, explains that a large group of threat actors is interested in stealing credentials, access tokens, usernames, and passwords. The stolen data is then monetized, which can lead to higher-impact attacks. Brumaghin recently published a blog post about SapphireStealer and its numerous contributors, highlighting the growing threat it poses.
SapphireStealer is a “stiller” (stealer) that was made available for free download on GitHub. Written in .NET, it provided the ability to grab files in popular formats such as PDF, DOC, and JPG, as well as screenshots and credentials from Chromium browsers like Google Chrome, Microsoft Edge, and Yandex. The stolen information was packaged into an email and sent back to adversaries along with details about the targeted machine. After exfiltration, SapphireStealer deleted evidence of its activity and terminated.
However, the initial versions of SapphireStealer had some flaws. Superfluous code execution flow and typographical errors were present in the codebase. But as time passed, new variants emerged that improved upon the original code and expanded its core functionality. Some variants added support for more file formats, while others replaced the email function with Discord webhook API or transmitted log data via a Telegram API to alert attackers about new infections.
Throughout the first half of 2023, SapphireStealer evolved to become more robust, multifaceted, and accessible. The introduction of open-source stealers like SapphireStealer has lowered the barrier to entry for information stealing, making it easier for non-technical hackers to get involved. This accessibility raises concerns as SapphireStealer continues to spread and grow, as it could enable more serious attacks on larger enterprises.
Edmund Brumaghin highlights the importance of understanding the link between information stealers like SapphireStealer and other threats like ransomware and espionage. While organizations may not prioritize information stealers as highly as ransomware, they often serve as a precursor to more serious attacks. Adversaries obtain credentials through information stealers and then sell them to other threat actors who can exploit the access for their own malicious activities.
As the cybercrime economy continues to mature and expand, the interlinking of different threats becomes more pronounced. Organizations need to be aware of this relationship and take appropriate measures to defend against these evolving threats. The growing popularity and development of open-source stealers like SapphireStealer should serve as a warning sign that the cybercrime landscape is constantly evolving, and proactive security measures are crucial to stay ahead of attackers.