New Nocturnal Stealer malware lets hackers harvest data for a small price and little effort

Security researchers have discovered a new, considerably cheap piece of malware dubbed Nocturnal Stealer that allows hackers to quietly steal data with very little effort. Still, Proofpoint researchers noted the new info-stealer is an example of "inexpensive commodity malware with significant potential for monetization."

An advertisement for Nocturnal Stealer first popped up on March 9 selling it for just 1500 Rubles (about $25). The stealer itself targets a host of Chrome and Firefox browser information such as login credentials, cookies, web data, autofill data and stored credit cards. It is also is capable of stealing 28 different types of cryptocurrency wallets, any saved FTP passwords within FileZilla, and a trove of system data such as machine ID, date/time, installation location, OS, architecture, username, processor type, video card and a list of all running processes of the infected machine.

"The malware only reports some of this information back to the Command and Control (C&C) server via a check-in beacon, but also zips and uploads all of the information contained in the dropped files to the C&C," researchers wrote in a blog post.

Nocturnal Stealer uses several techniques to evade detection including environment fingerprinting, checking for analyzers and debuggers, scanning for known VM registry keys and checking for emulation software. Researchers note that the use of detection evasion techniques is typical for mainstream crimeware, but unusual for budget malware.

The malware uses a multi-part HTTP POST form to send the stolen information contained in two plaintext files named "information" and "passwords" to the C2 server. Once it has completed its malicious activities, Nocturnal Stealer simply runs a command to end its processes and quietly delete itself off of the machine, unbeknownst to the victim.

"It utilizes an HTTP POST method for the initial check-in to report the infected machine information to the C&C server," researchers noted. "This POST uses the User-Agent 'Nocturnal/1.0' which contains the name and the version of the stealer. This may indicate that this is the first major version of this Nocturnal Stealer to be observed in the wild."

Although Proofpoint researchers said the malware is "not a particularly advanced" weapon, it does provide "a glimpse into the evolving criminal markets that continue to produce new variations of the crimeware we see everyday."

"Inexpensive, lightweight malware that can be deployed in a one-shot manner by even entry-level cybercriminals to harvest and exfiltrate sensitive data is a real concern for defenders and organizations," researchers said. "Nocturnal Stealer and other malware like it provide a would-be cybercriminal with the means to cause damage and harm to people and companies easily and cheaply."