A new virus has been identified known as BLUESTEALER that includes a keylogger, bitcoin stealer, and document uploader in one package. BluStealer, also known as a310logger, was initially discovered by a researcher in May. This new malware has drastically spread its legs in the mid of September, as a result of which over 6,000 users were affected in a single day. The criminals behind this initiative are disseminating it using phishing emails that encourage people to download a seemingly innocent file. The file, on the other hand, is only a front for malicious scripts attempting to launch the BluStealer Malware payload. Once installed, this.NET virus will attempt to log and steal sensitive information from the victim’s computer, which it will then send to the attackers.
Lets’ know more about BlueStealer
The inner payloads of BluStealer are written in C#.NET, while the main code is built-in VB. In the observed cases, both of these components are distinct, suggesting that the builder may change each component independently.
- The majority of the code from the SpyEx project is reused in the VB core (first spotted in 2004). As a result, SpyEx strings are found in the first samples discovered in May.
- BluStealer has the ability to steal crypto wallet info, replace crypto addresses in the clipboard, locate/upload document files, steal data through SMTP, leverage Telegram Bot API, and employ anti-analysis/VM techniques.
- ThunderFox, ChromeRecovery, firepwd, and StormKitty are open-source C# hack tools that were combined to form the.NET component.
- The malware. NET Loader has also been utilized by Snake Keylogger, Oski Stealer, Formbook, Agent Tesla, and RedLine.
Source of spread
BluStealer is disseminated mostly through malspam campaigns; a high number of copies were found in one campaign that utilized a unique.NET loader.
- Links to Discord’s Content Delivery Network (CDN) as a malware dissemination infrastructure were included in the spam emails.
- Two BluStealer malspam samples have been discovered by researchers. One was a phoney DHL invoice in English, while the other was a false communication from a Mexican metal firm called General de Perfiles in Spanish.
- Both samples included- iso attachments, as well as download, links The messages that accompanied them suggested that the recipients needed to click the link and fill out the information in order to remedy an issue with their shipment delivery.
- The malicious executables were bundled with the.NET Loader in the attachments. The loader is obfuscated and does not match any.NET obfuscator currently available (when matched using de4dot).
BluStealer exploits genuine services to evade detection, possibly posing a serious danger to security professionals throughout the world. Let’s stay alert!