Friday, November 15, 2024
HomeCyber AIHackers Selling GlorySprout Malware with Anti-VM Features in underground Fourm for $300

Hackers Selling GlorySprout Malware with Anti-VM Features in underground Fourm for $300

Published on

GlorySprout stealer, advertised on the XSS forum in early March 2024, is a C++ stealer sold for $300 with lifetime access and temporary payload encryption, that includes a loader, anti-CIS execution, and a non-functional grabber module. 

Taurus Stealer, a C++ stealer with a Golang panel, emerged for sale on XSS in April 2020 and shared similarities with Predator Stealer in encryption, bot ID format, anti-VM features, and code naming conventions. 

There is mention of anti-VM and keylogging functionalities, but their existence has not been confirmed. Additionally, the stealer enables log backup and the ability to ban certain countries or IPs. It has been recognized as a clone of Taurus Stealer.

- Advertisement - SIEM as a Service
Taurus Stealer panel

It also reportedly ended development in 2021, but cracked versions and possibly leaked source code have surfaced on Telegram, potentially explaining the continued circulation. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis of the GlorySprout 

According to RussianPanda, a Senior Threat Intelligence researcher, eSentire, GlorySprout dynamically resolves APIs by hashing them using operations like multiplication, addition, and XOR and shifting target system libraries like shell32.dll and wininet.dll. 

GlorySprout panel

It uses specific offsets to access these hashed API values and implements anti-analysis techniques by checking for specific language identifiers and obfuscating strings using XOR and arithmetic operations. 

 hashing process involves operations such as multiplication, addition, XOR, and shifting

GlorySprout creates persistence via a scheduled task named “\WindowsDefender\Updater” that executes a secondary payload dropped in the %TEMP% folder. 

It also uses a function to generate random strings for various purposes, including filenames and RC4 keys, but this function might not be truly random, whereas the C2 address for communication is retrieved from the resource section of the unpacked payload.  

An infected machine communicates with the C2 server on port 80 disguised as a browser and sends a POST request with an encrypted BotID and a predefined user agent. 

The RC4 key for encryption is generated with a constant initial state value, resulting in the same key for every check-in and the server responds with an encrypted configuration detailing data to steal (browser history, wallets, etc.) and further actions (downloading secondary payload, self-deletion). 

The machine harvests data, encrypts it with the received RC4 key and sends it back to the server. Upon receiving a success message, the machine signals completion and potentially downloads another malicious payload. 

Indicators Of Compromise

GlorySprout, a stealer program written in Golang, utilizes SQL databases likely processed through the sqlx library and the analysis of the database reveals mentions of “taurus,”  suggesting GlorySprout is a clone of the Taurus Stealer code. 

Decrypted browser passwords are found in logs stored in General/forms.txt, indicating server-side decryption. 

GlorySprout differs from Taurus Stealer in that it does not download additional DLLs and lacks anti-VM features, which suggests GlorySprout may not achieve the same level of popularity as other stealers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Understanding Crypto Macroeconomic Factors: Navigating Inflation, Rates, And Regulations 

Diving into the world of cryptocurrencies, I've found it's a fascinating intersection of technology...