Researchers have discovered a new information-stealing malware called NS-STEALER that uses a Discord bot to exfiltrate data from compromised hosts. The malware is distributed through ZIP archives disguised as cracked software and contains a rogue Windows shortcut file that deploys a malicious JAR file. NS-STEALER steals sensitive information such as screenshots, cookies, credentials, and autofill data from web browsers, as well as system information and Discord tokens. The captured data is then sent to a Discord Bot channel. Meanwhile, the developers of the Chaes malware have released an update to its information-stealing capabilities, including improvements to its Chronod module.
The NS-STEALER malware is highly sophisticated and uses Java Runtime Environment to quickly steal information from victim systems. It also utilizes X509Certificate for authentication and the Discord bot channel as an EventListener for receiving the stolen data. The malware is distributed through legal-themed email lures written in Portuguese, tricking recipients into clicking on bogus links that activate Chae$ 4.1, the malicious installer. Interestingly, the developers of Chae$ 4.1 left messages in the source code expressing gratitude to a security researcher who has extensively analyzed the malware in the past.
This discovery highlights the ongoing threat of information-stealing malware and the evolving tactics used by cybercriminals. It is crucial for individuals and organizations to remain vigilant and employ robust cybersecurity measures to protect sensitive data from being compromised.