Friday, July 19, 2024

Hackers Selling GlorySprout Malware with Anti-VM Features in underground Fourm for $300

GlorySprout stealer, advertised on the XSS forum in early March 2024, is a C++ stealer sold for $300 with lifetime access and temporary payload encryption, that includes a loader, anti-CIS execution, and a non-functional grabber module. 

Taurus Stealer, a C++ stealer with a Golang panel, emerged for sale on XSS in April 2020 and shared similarities with Predator Stealer in encryption, bot ID format, anti-VM features, and code naming conventions. 

There is mention of anti-VM and keylogging functionalities, but their existence has not been confirmed. Additionally, the stealer enables log backup and the ability to ban certain countries or IPs. It has been recognized as a clone of Taurus Stealer.

Taurus Stealer panel

It also reportedly ended development in 2021, but cracked versions and possibly leaked source code have surfaced on Telegram, potentially explaining the continued circulation. 


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis of the GlorySprout 

According to RussianPanda, a Senior Threat Intelligence researcher, eSentire, GlorySprout dynamically resolves APIs by hashing them using operations like multiplication, addition, and XOR and shifting target system libraries like shell32.dll and wininet.dll. 

GlorySprout panel

It uses specific offsets to access these hashed API values and implements anti-analysis techniques by checking for specific language identifiers and obfuscating strings using XOR and arithmetic operations. 

 hashing process involves operations such as multiplication, addition, XOR, and shifting

GlorySprout creates persistence via a scheduled task named “\WindowsDefender\Updater” that executes a secondary payload dropped in the %TEMP% folder. 

It also uses a function to generate random strings for various purposes, including filenames and RC4 keys, but this function might not be truly random, whereas the C2 address for communication is retrieved from the resource section of the unpacked payload.  

An infected machine communicates with the C2 server on port 80 disguised as a browser and sends a POST request with an encrypted BotID and a predefined user agent. 

The RC4 key for encryption is generated with a constant initial state value, resulting in the same key for every check-in and the server responds with an encrypted configuration detailing data to steal (browser history, wallets, etc.) and further actions (downloading secondary payload, self-deletion). 

The machine harvests data, encrypts it with the received RC4 key and sends it back to the server. Upon receiving a success message, the machine signals completion and potentially downloads another malicious payload. 

Indicators Of Compromise

GlorySprout, a stealer program written in Golang, utilizes SQL databases likely processed through the sqlx library and the analysis of the database reveals mentions of “taurus,”  suggesting GlorySprout is a clone of the Taurus Stealer code. 

Decrypted browser passwords are found in logs stored in General/forms.txt, indicating server-side decryption. 

GlorySprout differs from Taurus Stealer in that it does not download additional DLLs and lacks anti-VM features, which suggests GlorySprout may not achieve the same level of popularity as other stealers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles