Cyber security analysts have spotted a dangerous new info-stealer in circulation on Russian-language hacking forums.
Dubbed SantaStealer in a bizarre fit of seasonal cheer, researchers at Rapid7 spotted the malware days before its release via its ‘official’ Telegram channel.
“SantaStealer is a data theft program for Windows, developed in C,” the release post said on December 16.
“It works without dependencies and is completely self-contained. The program runs on any Windows machine from version 7 to 11.”
Rapid7 believes the infostealer is a rebranded version of the BluelineStealer, and is allegedly capable of stealing credentials, documents, crypto wallets, and other data from a raft of applications.
The malware operates entirely in memory to avoid detection of malicious files and compresses data into ten-megabyte packets before sending those packets to its command & control infrastructure.
Prior to its official release, however, Rapid7 was able to obtain a sample of SantaStealer for a close look at its operation, and the company’s analysts were not initially impressed.
“It’s difficult to tell if the samples we observe now are the latest builds of SantaStealer, or if there might be a delay and we are only now seeing earlier versions. Either way, the payloads we analysed lacked significantly in anti-analysis and evasion capabilities, only implementing a very basic anti-VM/anti-debugging check,” Milan Špinka, Security Researcher at Rapid7, said.
“The samples we’ve seen also include original names of functions and global variables and do not perform any kind of string encryption or code obfuscation, making analysis rather simple.”
Rapid7’s researchers were able to register an account for the malware to get an inside look at its features and pricing. A basic version of the stealer costs US$175 per month, while the premium version costs US$300 per month to use.
A lifetime plan is also available for US$1,000.
However, despite the developers’ claims that SantaStealer is particularly stealthy and hard to detect, detecting and tracking its payloads is a relatively simple matter, thanks to the fact that the malware’s configuration and C2 IP address are embedded in plain text in its executable.
“However, if SantaStealer indeed does turn out to be competitive and implements some form of encryption, obfuscation, or anti-analysis techniques (as seen with Lumma or Vidar) these tasks may become less trivial for the analyst,” Rapid7 said.
For now, Rapid7’s best advice to avoid infection by SantaStealer is to avoid clicking on unrecognised links or attachments, and to be on the lookout for fake human verification and tech support instructions.
“Finally, avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions,” Rapid7 said.
You can learn more about SantaStealer here.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.