SapphireStealer, an open-source information stealer, has emerged as a growing threat since its public debut last year. This malware is designed to pilfer sensitive data, including corporate credentials, and has since seen active usage and modifications by various threat actors.
SapphireStealer was initially released on GitHub on December 25 2022. The malware targets browser credential databases and specific file types on infected systems.
According to an advisory published by Cisco Talos on Thursday, SapphireStealer has undergone significant evolution since its debut, resulting in multiple variants.
The malware’s core functions include gathering host information, taking screenshots, harvesting cached browser credentials and collecting files with predefined extensions from the victim’s system. Upon execution, SapphireStealer terminates browser processes matching specific names like Chrome, Yandex and Opera.
Following this, the malware locates and extracts credential information from various browser applications, including Chrome, Opera, Microsoft Edge and others. This stolen data is stored in a text file named “Passwords.txt.” Additionally, the malware captures screenshots and collects specific file types from the victim’s Desktop folder.
Once collected, the stolen data is compressed into an archive and transmitted to the attacker via Simple Mail Transfer Protocol (SMTP). The sent email includes host-related information, such as the IP address, hostname, screen resolution, OS version and CPU architecture.
Since its release, SapphireStealer has seen notable modifications by different threat actors. These adaptations include using the Discord webhook API and Telegram posting API for data exfiltration, as well as expanding the list of targeted file extensions for collection.
Furthermore, some attackers have employed FUD-Loader, a malware downloader shared on GitHub, to deliver SapphireStealer in multi-stage infection processes. This loader retrieves additional binary payloads from attacker-controlled servers.
In one instance, a lapse in operational security led to the exposure of a threat actor’s credentials and accounts, underscoring the accessibility of cybercrime for those with limited expertise.
More generally, while information-stealing attacks may require less sophistication, they can significantly damage corporate environments, emphasizing the importance of robust cybersecurity measures.
The Cisco Talos advisory on SapphireStealer contains essential Indicators of Compromise (IoCs) for identifying and mitigating this evolving threat.