High-Profile BluStealer Malware Steals Sensitive Info and Files

About BluStealer

• The VB core reuses most of the code from the SpyEx project (first spotted in 2004). For this reason, SpyEx strings are discovered in the early samples detected in May.
• BluStealer can steal crypto wallet data, replace crypto addresses in the clipboard, find/upload document files, steal data via SMTP, use Telegram Bot API, and use anti-analysis/VM methods.
• The .NET component is a credential stealer created from a combination of open-source C# hack tools known as ChromeRecovery, ThunderFox, firepwd, and StormKitty.
• Additionally, the malware’s .NET Loader has already been used by various malware families such as Oski Stealer, Snake Keylogger, Formbook, RedLine, and Agent Tesla.

The infection vector

• The spam emails included links to Discord’s Content Delivery Network (CDN) as a malware distribution infrastructure.
• Researchers have observed two BluStealer malspam samples. One was a fake DHL invoice in English, while the other one was a fake message in the Spanish language from a Mexican metal company General de Perfiles.
• Both the samples had .iso attachments, along with download URLs. Accompanied messages claimed that the recipients must open the link and fill out details to solve the problem in the delivery of their parcel.
• The attachments included the malware executables packed with the .NET Loader. The loader is obfuscated and does not match with any known .NET obfuscator (when matched using de4dot).

Conclusion