Saturday, April 13, 2024

Hackers Selling GlorySprout Malware with Anti-VM Features in underground Fourm for $300

GlorySprout stealer, advertised on the XSS forum in early March 2024, is a C++ stealer sold for $300 with lifetime access and temporary payload encryption, that includes a loader, anti-CIS execution, and a non-functional grabber module. 

Taurus Stealer, a C++ stealer with a Golang panel, emerged for sale on XSS in April 2020 and shared similarities with Predator Stealer in encryption, bot ID format, anti-VM features, and code naming conventions. 

There is mention of anti-VM and keylogging functionalities, but their existence has not been confirmed. Additionally, the stealer enables log backup and the ability to ban certain countries or IPs. It has been recognized as a clone of Taurus Stealer.

Taurus Stealer panel

It also reportedly ended development in 2021, but cracked versions and possibly leaked source code have surfaced on Telegram, potentially explaining the continued circulation. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis of the GlorySprout 

According to RussianPanda, a Senior Threat Intelligence researcher, eSentire, GlorySprout dynamically resolves APIs by hashing them using operations like multiplication, addition, and XOR and shifting target system libraries like shell32.dll and wininet.dll. 

GlorySprout panel

It uses specific offsets to access these hashed API values and implements anti-analysis techniques by checking for specific language identifiers and obfuscating strings using XOR and arithmetic operations. 

 hashing process involves operations such as multiplication, addition, XOR, and shifting

GlorySprout creates persistence via a scheduled task named “\WindowsDefender\Updater” that executes a secondary payload dropped in the %TEMP% folder. 

It also uses a function to generate random strings for various purposes, including filenames and RC4 keys, but this function might not be truly random, whereas the C2 address for communication is retrieved from the resource section of the unpacked payload.  

An infected machine communicates with the C2 server on port 80 disguised as a browser and sends a POST request with an encrypted BotID and a predefined user agent. 

The RC4 key for encryption is generated with a constant initial state value, resulting in the same key for every check-in and the server responds with an encrypted configuration detailing data to steal (browser history, wallets, etc.) and further actions (downloading secondary payload, self-deletion). 

The machine harvests data, encrypts it with the received RC4 key and sends it back to the server. Upon receiving a success message, the machine signals completion and potentially downloads another malicious payload. 

Indicators Of Compromise

GlorySprout, a stealer program written in Golang, utilizes SQL databases likely processed through the sqlx library and the analysis of the database reveals mentions of “taurus,”  suggesting GlorySprout is a clone of the Taurus Stealer code. 

Decrypted browser passwords are found in logs stored in General/forms.txt, indicating server-side decryption. 

GlorySprout differs from Taurus Stealer in that it does not download additional DLLs and lacks anti-VM features, which suggests GlorySprout may not achieve the same level of popularity as other stealers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles