Hackers Selling GlorySprout Malware with Anti-VM Features in underground Fourm for $300

GlorySprout stealer, advertised on the XSS forum in early March 2024, is a C++ stealer sold for $300 with lifetime access and temporary payload encryption, that includes a loader, anti-CIS execution, and a non-functional grabber module. 

Taurus Stealer, a C++ stealer with a Golang panel, emerged for sale on XSS in April 2020 and shared similarities with Predator Stealer in encryption, bot ID format, anti-VM features, and code naming conventions. 

There is mention of anti-VM and keylogging functionalities, but their existence has not been confirmed. Additionally, the stealer enables log backup and the ability to ban certain countries or IPs. It has been recognized as a clone of Taurus Stealer.

Taurus Stealer panel

It also reportedly ended development in 2021, but cracked versions and possibly leaked source code have surfaced on Telegram, potentially explaining the continued circulation. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis of the GlorySprout

According to RussianPanda, a Senior Threat Intelligence researcher, eSentire, GlorySprout dynamically resolves APIs by hashing them using operations like multiplication, addition, and XOR and shifting target system libraries like shell32.dll and wininet.dll. 

GlorySprout panel

It uses specific offsets to access these hashed API values and implements anti-analysis techniques by checking for specific language identifiers and obfuscating strings using XOR and arithmetic operations. 

 hashing process involves operations such as multiplication, addition, XOR, and shifting

GlorySprout creates persistence via a scheduled task named “\WindowsDefender\Updater” that executes a secondary payload dropped in the %TEMP% folder. 

It also uses a function to generate random strings for various purposes, including filenames and RC4 keys, but this function might not be truly random, whereas the C2 address for communication is retrieved from the resource section of the unpacked payload.  

An infected machine communicates with the C2 server on port 80 disguised as a browser and sends a POST request with an encrypted BotID and a predefined user agent. 

The RC4 key for encryption is generated with a constant initial state value, resulting in the same key for every check-in and the server responds with an encrypted configuration detailing data to steal (browser history, wallets, etc.) and further actions (downloading secondary payload, self-deletion). 

The machine harvests data, encrypts it with the received RC4 key and sends it back to the server. Upon receiving a success message, the machine signals completion and potentially downloads another malicious payload. 

Indicators Of Compromise

GlorySprout, a stealer program written in Golang, utilizes SQL databases likely processed through the sqlx library and the analysis of the database reveals mentions of “taurus,”  suggesting GlorySprout is a clone of the Taurus Stealer code. 

Decrypted browser passwords are found in logs stored in General/forms.txt, indicating server-side decryption. 

GlorySprout differs from Taurus Stealer in that it does not download additional DLLs and lacks anti-VM features, which suggests GlorySprout may not achieve the same level of popularity as other stealers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cyber Criminals Exploit Windows Management Console to Deliver Backdoor Payloads

A recent campaign dubbed FLUX#CONSOLE has come to light, leveraging Microsoft Common Console Document (.MSC) files to…

15 hours ago

Texas Tech Systems Breach, Hackers Accessed System Folders & Files

The Texas Tech University Health Sciences Center (TTUHSC) and Texas Tech University Health Sciences Center…

16 hours ago

Beware of Malicious Ads on Captcha Pages that Deliver Password Stealers

Malicious actors have taken cybercrime to new heights by exploiting captcha verification pages, a typically…

18 hours ago

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer. A…

20 hours ago

ConnectOnCall Data Breach, 900,000 Customers Data Exposed

 The healthcare communication platform ConnectOnCall, operated by ConnectOnCall.com, LLC, has confirmed a significant data breach…

20 hours ago

Kali Linux 2024.4 Released – What’s New!

Kali Linux has unveiled its final release for 2024, version Kali Linux 2024.4, packed with…

20 hours ago