Home Security Architecture Hackers are Selling GlorySprout Malware in Underground Forum for $300

Hackers are Selling GlorySprout Malware in Underground Forum for $300

Hackers are Selling GlorySprout Malware in Underground Forum for $300

GlorySprout stealer, which was first advertised on the XSS forum in early March 2024, has raised concerns in the cybersecurity community due to its malicious capabilities. This C++ stealer is being sold for $300 with lifetime access and temporary payload encryption, making it an attractive option for cybercriminals looking to steal sensitive information from unsuspecting victims.

Taurus Stealer, another C++ stealer with a Golang panel, made its debut on XSS in April 2020 and has drawn parallels with the infamous Predator Stealer in terms of encryption methods, bot ID format, anti-VM features, and code naming conventions. Additionally, there have been rumors about the existence of anti-VM and keylogging functionalities in these stealers, although concrete evidence is yet to surface. The stealer also boasts features like log backup and the ability to block certain countries or IPs, further enhancing its appeal to cybercriminals looking to exploit vulnerabilities in systems.

One notable aspect of GlorySprout is its use of dynamic resolution APIs by hashing them using mathematical operations like multiplication, addition, XOR, and shifting target system libraries such as shell32.dll and wininet.dll. This sophisticated technique helps the stealer evade detection by security software and carries out its malicious activities discreetly. Furthermore, GlorySprout implements anti-analysis measures by detecting specific language identifiers and obfuscating strings using XOR and arithmetic operations, making it a formidable threat to cybersecurity.

GlorySprout establishes persistence on an infected system by creating a scheduled task named “\WindowsDefender\Updater” that executes a secondary payload dropped in the %TEMP% folder. Moreover, the stealer uses a function to generate random strings for various purposes, including filenames and RC4 keys. However, there are concerns about the randomness of this function, which may pose risks to the security of the compromised system.

In terms of communication with the C2 server, GlorySprout disguises itself as a browser on port 80 and sends encrypted BotID and a predefined user agent in a POST request. The RC4 key used for encryption is generated with a constant initial state value, resulting in the same key for every check-in, which may compromise the security of the communications. The server responds with an encrypted configuration detailing the data to be stolen and further actions to be taken by the stealer, such as downloading secondary payloads or self-deletion.

It has been noted that GlorySprout is a clone of the Taurus Stealer code, as evidenced by mentions of “taurus” in the SQL databases analyzed during the investigation. However, GlorySprout lacks certain features present in Taurus Stealer, such as additional DLL downloads and anti-VM capabilities. These differences may impact GlorySprout’s popularity among cybercriminals and limit its effectiveness in carrying out sophisticated cyber attacks.

Overall, the emergence of sophisticated stealers like GlorySprout and Taurus Stealer highlights the evolving landscape of cyber threats and the need for robust cybersecurity measures to protect sensitive information. Organizations and individuals are advised to stay vigilant and implement comprehensive security protocols to mitigate the risks posed by these advanced malware strains.

Source link


Please enter your comment!
Please enter your name here