Monday, June 17, 2024

New Undetected Python-Based Info-stealer Offered Via Dedicated Website

Akira is an information stealer malware that was found in March 2023. This malware can steal sensitive information, including saved credentials and payment card details, usernames, system ID, hardware details, installed software, and network configurations. 

Once this information is extracted, it uploads the data on a ‘GoFile’ online storage management service and Discord instant messaging service accounts owned by the threat actor. 

Akira Stealer

According to the reports exclusively shared with Cyber Security News, Akira Stealer contains a multi-level infection process for code obfuscation and detection evasion.

The threat actor is also found to be providing services over Telegram, a C2 server, and GitHub.

Moreover, the threat actor claims that this malware is FUD (Fully Undetectable). Its telegram channel, Akira, consists of 358 subscribers as of now. The threat actor also offers a Malware-as-a-service domain “https[:]//akira[.]red/”.

File, Behavioral, and Code Analysis

As a means of Analysis, researchers collected a sample file, “3989X_NORD_VPN_PREMIUM_HITS.txt.cmd,” which was a CMD script file with obfuscated code. However, as stated by the threat actor, the file is completely undetectable on VirusTotal.

Python-Based Akira Stealer
Source: Cyfirma

When executed, it drops a hidden.bat batch file on the current working directory, which was also found to be undetectable. This file consists of an obfuscated PowerShell script that embeds the batch file with the tmp.vbs file for executing with the csscript.exe process.

Extraction and Exfiltration

As for the information stealing, the malware creates a folder with the name of the compromised PC for storing the stolen information. Post this, the malware starts to steal information from several browsers, including Microsoft Edge, Google Chrome, Opera, Mozilla Firefox, and 14 other browsers. 

Furthermore, the stealer is also capable of targeting financial data, such as saved credit cards and login credentials, collecting bookmarks and wallet extension data, taking screenshots, and much more.

A complete report about this Akira stealer malware has been published by Cyfirma, which provides detailed information about the malware behavior, source code, and other information.

Indicators of Compromise

S.NoIndicatorsTypeContext
1016dfdd45c8208d246d59327c40355e0MD5 Hash3989X_NORD_VPN_PREMIUM_HITS.txt.cmd
2b14262297bdfc61e2103eed6d77dce42bd3076c31912b4143151dfa36f751411SHA-256 Hash3989X_NORD_VPN_PREMIUM_HITS.txt.cmd
381e7ff1742d45075305a2082b1a7ac9dMD5 Hashhidden.bat
403564dc699f82f7e5d52046d82863ceddc6d657c66c0078f88cfe9cf1953187bSHA-256 Hashhidden.bat
54027c802411f8b4091c5c4eb077efa49MD5 HashFile.zip
650e36d96cb593c39afa2fc11ac25c976f0ff1586159d2eb2626902e6d6062f81SHA-256 HashFile.zip
7Akira[.]redDomainC2 server
8https[:]//akira[.]red/pyst.txtURLC2 server
9https[:]//akira[.]red/inj.phpURLC2 server
10https[:]//api[.]gofile[.]io/getServerURLData exfiltration
11https[:]//store11[.]gofile[.]io/uploadFileURLData exfiltration
12https[:]//store1[.]gofile[.]io/uploadFileURLData exfiltration
13https[:]//store4[.]gofile[.]io/uploadFileURLData exfiltration
14https[:]//discord[.]com/api/webhooks/1145738132550078484/px0c3QsngkzQX39aXJP-vKODDYwvODftHl6j83epN0ndbZ0O_DQ7D6vhFVDcluj0rLeyURLData exfiltration
15https[:]//store7[.]gofile[.]io/download/direct/13d3e926-8be7-4c15-a1d9-f0e809ec1f14/m2[.]zipURLMalware download
16https://t[.]me/AkiraRedBotURLTelegram channel
17https://t[.]me/akiraundetectorURLTelegram channel

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles