Cyber threats continue to evolve and one of the latest emerging threats facing CYFIRMA Investigation Team is the Angry Stealer malware.
This infostealer has been found to be actively promoted on various online platforms, including Telegram, thus increasing its reach and making it available to a large audience of potential attackers.
Angry Stealer is an advanced malware that targets a wide range of sensitive information using advanced techniques and rebranding tactics. It is based on the previously identified Rage Stealer, and shares almost identical code, behavior, and functionality.
Stepasha.exe and MotherRussia.exe payloads plunder any system
Angry Stealer is implemented via a dropper binary, a 32-bit Win32 executable written in .NET designed to execute two main payloads: “Stepasha.exe” and “MotherRussia.exe.” The primary payload, Stepasha.exe, serves as the core of the Angry Stealer operation, aimed at stealing sensitive information. This includes browser data (passwords, cookies, and autofill information), cryptocurrency wallet details, system data, VPN credentials, Discord tokens, and more. The data is then exfiltrated via Telegram to a remote server, using hardcoded credentials and bypassing SSL validation to ensure successful data transfer.
The secondary payload, MotherRussia.exe, serves as a tool for creating further malicious executables. This builder tool allows attackers to generate custom malware, potentially enabling access to remote desktops or additional bot interactions. The dual-payload approach not only increases the scope of data theft, but also enables the creation of custom malware tailored to specific targets or attack scenarios.
Once executed, Angry Stealer infiltrates a victim’s computer and begins a systematic collection of sensitive data. It specifically targets popular web browsers using a multi-threaded approach, allowing it to collect data from multiple browsers at once, extracting passwords, credit card details, cookies, autofill data, bookmarks, running processes, screenshots, and system specifications. The malware organizes this stolen data into a designated directory at C:\Users\Username\AppData\Local\44_23, where it creates subdirectories for various types of information.
Once browser paths have been scanned to gather valuable information, the malware imposes size restrictions on the files it copies to avoid detection. Additionally, Angry Stealer is capable of opening user files from important folders such as Desktop and Documents, focusing on documents and personal data that may be of interest to attackers.
Additionally, it can determine the system’s IP address, geographic location, and network-related data, giving attackers extensive information about the victim’s environment. This data collection capability allows attackers to tailor their subsequent actions to the specifics of the infected system.
To effectively combat the threat of Angry Stealer and similar malware, organizations must implement a layered security approach. Key strategies include implementing robust endpoint security solutions that can detect and block malicious activity from info thieves, and ensuring that operating systems, applications, and security software are regularly updated to patch vulnerabilities that can be exploited.
Additionally, implementing network segmentation can help limit the movement of malware within the network, reducing the risk of widespread data theft. Organizations should also implement comprehensive employee training programs to increase awareness of phishing threats and safe online practices. Finally, having an up-to-date incident response plan is critical to quickly addressing potential malware infections, minimizing damage, and facilitating the recovery of affected systems.
