SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations

An open-source .NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants.

“Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion,” Cisco Talos researcher Edmund Brumaghin said in a report shared with The Hacker News.

An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks.

Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other malicious cyber activities.

SapphireStealer is a lot like other stealer malware that have increasingly cropped up on the dark web, equipped with features to gather host information, browser data, files, screenshots, and exfiltrate the data in the form of a ZIP file via Simple Mail Transfer Protocol (SMTP).

But the fact that its source code was published for free in late December 2022 has enabled miscreants to experiment with the malware and make it difficult to detect. This includes the addition of flexible data exfiltration methods using a Discord webhook or Telegram API.

“Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time,” Brumaghin said.

The malware author has also made public a .NET malware downloader, codenamed FUD-Loader, which makes it possible to retrieve additional binary payloads from attacker-controlled distribution servers.

Talos said it detected the malware downloader being used in the wild to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.

The disclosure comes a little over a week after Zscaler shared details of another stealer malware called Agniane Stealer that’s capable of plundering credentials, system information, session details from browsers, Telegram, Discord, and file transfer tools, as well as data from over 70 cryptocurrency extensions and 10 wallets.

It’s offered for sale for $50 a month (no lifetime license) on several dark web forums and a Telegram channel.

“The threat actors responsible for Agniane Stealer utilize packers to maintain and regularly update the malware’s functionality and evasions features,” security researcher Mallikarjun Piddannavar said.