Cybercriminals are mining the capabilities of an open source infostealer called “SapphireStealer,” developing a legion of variants that are helping to democratize the cybercrime landscape when it comes to carrying out data-theft attacks.
Ever since a Russian-language hacker named Roman Maslov first published it onto the public Web late last year, hackers have been adopting SapphireStealer, tinkering with it, and releasing new versions into public repositories. It has created a reinforcing feedback loop where the malware keeps getting stronger, and more attackers are being drawn to it, potentially leading to more dangerous consequences downstream.
“You’ve got a large group of threat actors that are interested in stealing credentials, access tokens, username, passwords,” says Edmund Brumaghin, threat researcher for Cisco Talos, who on Aug. 31 published a blog post about SapphireStealer and its many contributors. “Then they’re monetizing that data, which can lead to higher-impact types of attacks.”
What Is SapphireStealer?
On Christmas Day, 2022, children across the world ran downstairs to open up presents from Santa. Partners opened gifts from their significant others. And on GitHub, cybercriminals were treated to a present of their own: “A simple stiller [sic] with sending logs to your EMAIL,” courtesy of r3vengerx0 (Maslov).
The “stiller” (stealer) was written in .NET, and free for anyone to download. Simple but effective, it gave even non-technical hackers the ability to grab files in most popular formats — .pdf, .doc, .jpg, etc. — as well as screenshots, and credentials from Chromium browsers like Google Chrome, Microsoft Edge, and Yandex. It simply packaged this information into an email, and sent it back to adversaries along with various information about the targeted machine: IP address, OS version, and so on. Finally, post-exfiltration, SapphireStealer deletes evidence of its activity and terminates.
This was all well and good but, like r3vengerx0’s GitHub listing, there were kinks to work out. “There was some superfluous code execution flow taking place — superfluous instructions that weren’t exactly what you would expect from an efficient codebase. There were also some typographical errors in certain points in the code,” Brumaghin explains.
That began to change, starting around mid-January.
How SapphireStealer Evolved
Soon after the holidays, new variants of SapphireStealer started to emerge, which cleaned up (if not significantly refactored) the code, and improved on its core functionality. Some variants, for example, extended the list of file formats SapphireStealer could draw from.
Another variant replaced the email function with the Discord webhook API. Several others popped up with the ability to alert attackers to new infections by transmitting log data via a Telegram API.
Through the first half of 2023, SapphireStealer became more robust, multifaceted, and dangerous but also more accessible. “The barrier to entry for getting into information stealing continues to decrease with the introduction of open source stealers like SapphireStealer. You don’t need to know how to code. You don’t need to know operational security or anything like that,” Brumaghin says.
As SapphireStealer grows and spreads, it could easily enable more serious attacks for larger enterprises.
“An organization might not treat an information stealer threat at the same level as another threat like, let’s say, ransomware,” Brumaghin explains. “But they’re often a precursor to things like ransomware and espionage, because an adversary will obtain credentials with an information stealer and then monetize those by selling them to other threat actors that can then use that access to conduct post-compromise activities, working towards some of their longer-term mission objectives.”
He concludes: “Organizations need to be aware of that relationship. These threats in a lot of ways are becoming more interlinked, as the cybercrime economy continues to mature and grow.”
