Saturday, December 2, 2023

Cybercriminals Released Mini Stealer’s Builder & Panel for Free on a Cybercrime Forum

A threat actor has recently released MiniStealer’s builder and panel for free on a cybercrime forum. Cyble Research and Intelligence Labs (CRIL) security analysts discovered this exploit during a routine threat hunting exercise carried out recently.

Threat actors can easily create malicious payloads using such builders, which can make them easy for them to generate. There is a lot of stuff that MiniStealer targets, but it mostly targets FTP applications and browsers that are based on Chromium.

Threat actors claim that their stealer can target different OS, including the following:- 

  • Windows 7
  • Windows 10
  • Windows 11

The same threat actor made a post sometime after the release of MiniStealer, where he sold the builder and panel for Parrot Stealer for the price of USD 50.

As stated in the report by the threat actor, this stealer is a modified version of MiniStealer. It is possible that the threat actor had added functionality in Parrot stealer that wasn’t present in MiniStealer.

Technical Analysis

The threat actor has leaked two folders from the zip file it has leaked. Here is a list of the files that are contained inside these folders:-

  • Builder: MiniStealerBuilder.exe, Stub
  • Panel: Web Panel Source code

Threat actor released a binary builder that was based on the .NET framework. In order to make the payload more powerful, it has the ability to include the details of C&C in it. 

The actual payload for the builder is located in a file called “stub” that is actually placed in the builder’s build folder. The C&C details are then written to the payload once this is completed so that the final payload can be created.

Test Reports are sent to the C&C server when the Test Button is clicked, in order to determine if the connection can be established with the server. There are three strings that are present in these logs:-

  • TestUser
  • TestPass
  • TestHost

The Mini Stealer application is a 64-bit .NET binary that incorporates Timestomping. Timestomping refers to the process of altering the timestamps of files.

In order to deflect unnecessary attention from forensic investigations, adversaries employ this technique when delivering their payloads.


Here below we have mentioned all the recommendations:-

  • The use of warez and torrent websites is not recommended as a source for downloading pirated software.
  • Ensure that your passwords are strong at all times.
  • Whenever possible, ensure that multi-factor authentication is enforced.   
  • Activate the auto-update feature that automatically updates your device or system software.
  • Make sure you use an anti-virus program that is reputed.
  • Whenever you receive an email that contains an attachment or a link that you are unsure of, do not open it.
  • Employers should be educated on how to protect themselves against malicious activity such as phishing or untrusted URLs, such as spam emails.  
  • In order to prevent malicious URLs from being used to spread malware, you should block them.
  • It is important to keep an eye on the beacons at the network level to identify malware and threat actors that may try to steal data from them.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles