TROX Stealer Harvests Sensitive Data Including Stored Credit Cards and Browser Credentials

Cybersecurity experts at Sublime have uncovered a complex malware campaign revolving around TROX Stealer, an information stealer that employs urgency to deceive victims.

This malware, first detected in December 2024, highlights an intricate attack chain designed to extract sensitive data from everyday consumers.

TROX Stealer’s success hinges on the psychological tactic of urgency, prompting victims to bypass critical thinking.

Attackers leverage urgent-sounding emails with subjects like “Last Opportunity to Settle Debt Before Legal Action” or “Final Warning: Legal Action Pending for Your Account,” creating a sense of panic.

Malware as a Service (MaaS) platforms facilitate quick deployment and iteration of large-scale attack campaigns by attackers.

TROX Stealer was licensed on a weekly basis for a few days of exclusive use, demonstrating its rapid action capacity.

The Distribution Mechanism

Attackers targeted diverse sectors, including security companies, universities, and solar energy corporations, using TROX Stealer.

The emails contained HTML-generated text with a link to download supposed legal documents.

This link redirected to a domain controlled by the attacker, where the malware, disguised as ‘DebtCollectionCase#######.exe’, was hosted.

The URL included a token ID, ensuring that the download only occurred once, preventing researchers from easily re-downloading the file for analysis.

Technical Sophistication

TROX Stealer’s installation process is characterized by several evasion techniques:

• Initial Delivery: A Nuitka-compiled Python script, wrapped in multiple layers of obfuscation, is downloaded as a Windows executable from the attacker’s domain.
• Execution: The downloaded file decompresses embedded files into a temporary folder, executing ‘client_pdf_case_388.pdf’, a decoy document, and ‘node700.exe’, a Node.JS interpreter, further executing scripts to maintain infection.

• WebAssembly: The malware uses WebAssembly (Wasm) code encoded in Base64, employing extensive junk code to obscure its functionality and hinder analysis.

The infrastructure behind TROX Stealer includes various domains and IP addresses, with routine certificate management ensuring its persistence.

Accoeding to the Report, Sublime’s AI detection engine has been instrumental in preventing these attacks at the email delivery stage.

However, the sophistication of TROX Stealer, particularly its use of multiple programming languages and evasion techniques, highlights an evolving threat landscape.

Cybersecurity measures must adapt, integrating AI and advanced analytics to stay ahead of these complex threats. Awareness and vigilance remain essential in mitigating the risks posed by malware like TROX Stealer.

Indicators of Compromise (IOCs)

Category	Identifier	Value
Domain	debt-collection-experts[.]com
Domain	documents[.]debt-collection-experts[.]com
Domain	debt-collection-experts[.]online
Domain	download.debt-collection-experts[.]online
Domain	downloads.debt-collection-experts[.]online
Domain	docs.debt-collection-experts[.]online
IP Address	89.185.82.34 – Central to this campaign’s operations	89.185.82.34
IP Address	172.22.117.177 – Receives system profiles from malware	172.22.117.177
File Hash	DebtCollectionCase#######.exe (SHA256)	c404baad60fa3e6bb54a38ab2d736238ccaa06af877da6794e0e4387f8f5f0c6
File Hash	DebtCollectionCase#######.exe (SHA1)	ae5166a8e17771d438d2d5e6496bee948fce80a4
File Hash	DebtCollectionCase#######.exe (MD5)	c568b578da49cfcdb37d1e15a358b34a
File Hash	node700.exe (SHA256)	12069e203234812b15803648160cc6ad1a56ec0e9cebaf12bad249f05dc782ef
File Hash	node700.exe (SHA1)	29a13e190b6dd63e227a7e1561de8edbdeba034b
File Hash	node700.exe (MD5)	f5f75c9d71a891cd48b1ae9c7cc9f80d
File Hash	TROX Stealer (SHA256)	5d7ed7b8300c94e44488fb21302a348c7893bdaeef80d36b78b0e7f0f20135df
File Hash	TROX Stealer (SHA1)	6deea67690f90455280bc7dfed3c69d262bf24f6
File Hash	TROX Stealer (MD5)	fedb7287bcccc256a8dad8aeace799f7
Email	vpn@esystematics[.]de
Email	vpn@contactcorporate[.]de
Email	vpn@evirtual-provider[.]de

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!