Sapphire Stealer: Gather your Data for Various Cyber Attacks

A freely available . NET-based info-stealing malware known as SapphireStealer is being used by multiple groups to enhance its capabilities and create custom versions.

“This type of malware, like SapphireStealer, is used to gather sensitive data, including corporate credentials, which can then be sold to other hackers for further attacks like espionage or ransomware/extortion”, as stated by Cisco Talos researcher Edmund Brumaghin in a report.

Sapphire Stealer
6f0c4424cc7e35b379e69a6e6d553baf#SapphireStealer #Stealer pic.twitter.com/YNo2rHFOgY

— Yogesh Londhe (@suyog41) March 6, 2023

Stealer malware is common

Over time, a complete ecosystem has developed, allowing financially motivated and nation-state actors to utilize services from providers stealing malware to carry out different attacks.

In this context, these malware represent the evolution of cybercrime-as-a-service and enable other threat actors to profit from stolen data for activities such as ransomware distribution, data theft, and other malicious cyber actions.

Details about Sapphire

SapphireStealer is similar to other stealing malware found on the dark web, equipped with features to collect host details, browser info, files, and screenshots and send out the data as a ZIP file using Simple Mail Transfer Protocol (SMTP).

However, the fact that its source code was free in late December 2022 has allowed malicious individuals to experiment with the malware, making it hard to detect. This includes adding flexible data exfiltration methods using a Discord webhook for Telegram API.

“Multiple versions of this threat are already out there, and hackers are continuously improving its efficiency and effectiveness,” mentioned Brumaghin.

The malware creator has also publicly released a .NET malware downloader, codenamed FUD-Loader, which enables fetching additional binary payloads from attacker-controlled distribution servers.

Talos reported that this malware downloader has been identified in the wild, delivering remote administration tools such as DCRat, njRAT, DarkComet, and Agent Tesla.

Go with the flow

SapphireStealer, Agniane Stealer, and similar variants have reshaped the threat landscape, creating an ecosystem where independent and state-sponsored cybercriminals can leverage their capabilities for malicious purposes. 

The widespread availability of source code and the resulting customisation options have contributed to an intricate environment, making detection and mitigation an ongoing challenge.

The only thing one can ask loved ones is to be vigilant. Data security matters!