Cybersecurity researchers have discovered a new “sophisticated” Java-based information-stealing program that uses Discord bots to steal sensitive data from infected hosts.
The malware is called NS-StealerTrellix security researcher Gurumoorthi Ramanathan said in an analysis report released last week that it is spread through ZIP files disguised as cracking software.
The ZIP file contains a malicious Windows shortcut file (“Loader GAYve”), which acts as a pipeline to deploy the malicious JAR file. The file first creates a file named “NS-<11-digit_random_number>” folder to store the collected data.
The malware then stores screenshots, cookies, credentials and autofill data, system information, installed programs lists, Discord tokens, Steam and Telegram session data stolen from more than two dozen web browsers into this folder . The captured information is then leaked to the Discord Bot channel.
“Given the highly sophisticated functionality of collecting sensitive information and using X509Certificate to support authentication, this malware can quickly steal information from the victim’s system through: [Java Runtime Environment]Ramanathan said.
“Discord bot channels are also cost-effective as event listeners for receiving leaked material.”
This development comes as the threat actor behind the Chaes (also known as Chae$) malware releases an update (version 4.1) to its information-stealing program, improving its Chronod module, which is responsible for stealing input in web browsers. login credentials and intercept crypto transactions.
According to Morphisec, the infection chain that spreads the malware uses a legal-themed email lure written in Portuguese to trick recipients into clicking on a fake link that deploys a malicious installer to launch Chae$ 4.1.
But interestingly, the developers also left information to security researcher Arnold Osipov – who has conducted extensive analysis of Chaes in the past – that could help them improve the “software” directly in the source code. Express thankfulness.
