Researchers have recently uncovered a new threat known as Celestial Stealer, a JavaScript-based Malware-as-a-Service (MaaS) infostealer that specifically targets Windows systems. This sophisticated malware is designed to evade detection by using obfuscation and anti-analysis techniques while stealing data from various browsers, applications, and cryptocurrency wallets.
Celestial Stealer operates as either an Electron or NodeJS application, injecting malicious code into vulnerable apps and communicating with command-and-control (C2) servers. This enables the malware to continuously update itself and employ deceptive tactics to maintain its Fully UnDetectable (FUD) status, posing a persistent threat to user privacy and security.
The malicious actors behind Celestial Stealer have been distributing the malware disguised as a VR Chat NSFW application. The malicious payload is hidden within a file called “VRChatERPSetup.zip,” which contains an executable (AppSetup.exe) that executes a multi-stage download process. Once installed on a victim’s system, the malware decodes a base64 string to download the actual stealer (Celestial) from a C2 server. The malware is sold as a service on sellix.io, with a configuration bot that allows customization through Telegram.
Celestial Stealer employs various anti-analysis techniques, such as obfuscation and runtime checks, to evade detection and hinder analysis. Its capabilities include checking for tampering, analyzing system date and platform, and executing malicious actions. The malware uses PowerShell scripts to hide its activities and maintain persistence, targeting user data and cryptocurrencies by looking for specific files, registry entries, and virtual environments on the infected system.
The malware injects malicious payloads into popular applications like Exodus and Discord to steal sensitive information including passwords, 2FA codes, credit card details, and more. By communicating with its C2 server, Celestial Stealer can download additional payloads and upload stolen data, posing a significant risk to user security.
According to Trellix, Celestial Stealer targets both Chromium and Gecko-based browsers and applications like Discord and Exodus. The malware uses advanced anti-VM and anti-analysis techniques to evade detection and ensure its persistence. By extracting sensitive data such as passwords and cookies, Celestial Stealer highlights the growing threat of JavaScript-based attacks that masquerade as legitimate applications.
In conclusion, Celestial Stealer underscores the importance of staying vigilant against evolving cyber threats that continue to target user data and compromise security. It is crucial for users to implement robust cybersecurity measures and stay informed about the latest malware trends to protect themselves against such sophisticated threats.