TROX Stealer Harvests Sensitive Data Including Stored Credit Cards and Browser Credentials

Cybersecurity experts at Sublime have uncovered a complex malware campaign revolving around TROX Stealer, an information stealer that employs urgency to deceive victims.

This malware, first detected in December 2024, highlights an intricate attack chain designed to extract sensitive data from everyday consumers.

TROX Stealer’s success hinges on the psychological tactic of urgency, prompting victims to bypass critical thinking.

- Advertisement -

Attackers leverage urgent-sounding emails with subjects like “Last Opportunity to Settle Debt Before Legal Action” or “Final Warning: Legal Action Pending for Your Account,” creating a sense of panic.

Malware as a Service (MaaS) platforms facilitate quick deployment and iteration of large-scale attack campaigns by attackers.

TROX Stealer was licensed on a weekly basis for a few days of exclusive use, demonstrating its rapid action capacity.

The Distribution Mechanism

Attackers targeted diverse sectors, including security companies, universities, and solar energy corporations, using TROX Stealer.

The emails contained HTML-generated text with a link to download supposed legal documents.

This link redirected to a domain controlled by the attacker, where the malware, disguised as ‘DebtCollectionCase#######.exe’, was hosted.

The URL included a token ID, ensuring that the download only occurred once, preventing researchers from easily re-downloading the file for analysis.

Technical Sophistication

TROX Stealer’s installation process is characterized by several evasion techniques:

• Initial Delivery: A Nuitka-compiled Python script, wrapped in multiple layers of obfuscation, is downloaded as a Windows executable from the attacker’s domain.
• Execution: The downloaded file decompresses embedded files into a temporary folder, executing ‘client_pdf_case_388.pdf’, a decoy document, and ‘node700.exe’, a Node.JS interpreter, further executing scripts to maintain infection.

• WebAssembly: The malware uses WebAssembly (Wasm) code encoded in Base64, employing extensive junk code to obscure its functionality and hinder analysis.

The infrastructure behind TROX Stealer includes various domains and IP addresses, with routine certificate management ensuring its persistence.

Accoeding to the Report, Sublime’s AI detection engine has been instrumental in preventing these attacks at the email delivery stage.

However, the sophistication of TROX Stealer, particularly its use of multiple programming languages and evasion techniques, highlights an evolving threat landscape.

Cybersecurity measures must adapt, integrating AI and advanced analytics to stay ahead of these complex threats. Awareness and vigilance remain essential in mitigating the risks posed by malware like TROX Stealer.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!