New Python-Based Malware SolyxImmortal Targets Sensitive Data Among Turkish Users
A recently analyzed information stealer, identified as SolyxImmortal, has emerged as a significant threat in the realm of cybersecurity. This malware is particularly focused on gathering sensitive user data, including browser credentials, cookies, documents, screenshots, and keystrokes. Security experts have observed that SolyxImmortal is primarily targeting Turkish users, raising concerns about the potential for widespread data breaches in that demographic.
Technical Overview of SolyxImmortal
SolyxImmortal is built using common Python libraries and employs multi-threading techniques that enable it to run numerous surveillance and data theft operations concurrently. This design not only enhances its operational efficiency but also makes the malware harder to detect during its execution. The use of Python, a widely-used scripting language, underscores the growing trend of threat actors leveraging simple yet effective programming solutions to build sophisticated malware.
The sample analyzed, recognized by its SHA256 hash, is a compact Python script with a mere size of just over 10 KB. Despite its small footprint, it exhibits extensive functionality by importing various built-in and third-party Python modules. These modules facilitate interactions with the operating system, allow for extensive data extraction tasks, capture screenshots, log keystrokes, and enable communication with remote servers.
Once operational, SolyxImmortal secures its presence on the infected device by copying itself into the %APPDATA%\WindowsGraphics directory while also creating a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. This persistence mechanism ensures that the malware will execute each time the user logs into their system, thereby allowing it to commence its data collection activities shortly after a brief delay.
Data Collection Operations
Central to SolyxImmortal’s data theft capabilities is its function of extracting saved credentials from Chromium-based browsers like Chrome and Edge. The malware accesses browser databases to retrieve encrypted credentials and leverages Windows cryptographic APIs to decrypt stored passwords. Once acquired, these credentials are saved locally in a file named “sifreler.txt,” which translates to “passwords” in Turkish. Additionally, the malware collects cookies from Firefox by copying cookie database files directly from user profiles.
Research conducted by cybersecurity firm Cyfirma indicates that the malware goes beyond merely stealing credentials. It systematically searches the victim’s system for sensitive documents, recursively scanning directories starting from the user’s home folder while deliberately excluding system-related paths. Targeted file types include .txt, .pdf, .docx, and .xlsx, and only files that fall within a size range of 100 bytes to 10 MB are siphoned off. These collected files are temporarily staged in a folder before being compressed into an archive for exfiltration.
Advanced Features and Exfiltration Methods
SolyxImmortal is equipped with a robust keylogging capability that records every keystroke made by the user. This data is temporarily held in a buffer and sent to infrastructure controlled by the attackers every 60 seconds in a structured JSON format. Such functionality enables the continuous monitoring of user activities, including login credentials and private communications, making it a formidable tool for cybercriminals.
Another alarming trait is its ability to capture screenshots, either at regular intervals or in response to specific keywords appearing in active window titles. These keywords often pertain to banking and login activities and include numerous terms in Turkish. When triggered, the malware captures and exfiltrates these screenshots, signaling an acute focus on credential harvesting.
All collected data—including files, screenshots, and keystrokes—is exfiltrated through Discord webhooks. This method not only facilitates the blending of malicious traffic with legitimate services but also complicates detection efforts. Observations have revealed that messages during this exfiltration contain Turkish phrases, further indicating that the malicious campaign is aimed specifically at Turkish-speaking victims.
Preventive Measures and Future Implications
Experts have noted that the primary function of SolyxImmortal is to establish persistence on the infected systems, delay its execution for 15 seconds post-infection, and then create threads to gather sensitive information. This type of dexterity exemplifies the ongoing evolution of threat actors, who increasingly utilize simple scripting languages like Python to develop effective, modular malware solutions.
In conclusion, as SolyxImmortal demonstrates, the use of legitimate libraries, multi-threading, and trusted platforms such as Discord is becoming increasingly common among stealthy information stealers. To mitigate such threats, organizations and users are encouraged to monitor unusual outbound connections, restrict script execution where feasible, and implement endpoint detection solutions. The evolving landscape of cyber threats necessitates vigilant cybersecurity practices to safeguard against potential data breaches and unauthorized access.