In the ever-evolving infostealer landscape, 0bj3ctivityStealer emerges as a formidable threat, blending advanced obfuscation with targeted data exfiltration.
Discovered earlier this year by HP Wolf Security researchers, this .NET-based malware has been observed in proactive threat hunting by the Trellix Advanced Research Center, revealing a novel phishing-driven campaign.
The infection initiates through spearphishing emails themed around “Quotation offer,” featuring low-resolution images of fabricated purchase orders that lure victims to click a “Download” link redirecting to Mediafire-hosted JavaScript files.
This initial script, heavily obfuscated with over 3,000 lines of junk code, decodes into a PowerShell payload that fetches a steganographically concealed .NET loader from a JPG image hosted on archive.org.
Sophisticated Delivery Mechanism
By scanning for a specific hexadecimal pattern (0x42 0x4D 0x32 0x55 0x36 0x00 0x00 0x00 0x00 0x00 0x36 0x00 0x00 0x00 0x28 0x00), the script extracts RGB pixel values to reconstruct the loader, which is then executed via dnlib’s dynamic invocation.
This VMDetector loader establishes persistence through scheduled tasks and employs process hollowing to inject the final 0bj3ctivityStealer payload into Regasm.exe, sourced from a reversed Base64-encoded file on a Cloudflare R2 subdomain.
Such a chain, incorporating steganography and reflective loading, mirrors tactics seen in other infostealer families but introduces custom PowerShell deobfuscation for enhanced stealth, complicating detection in automated sandboxes.
The malware’s antianalysis arsenal is equally robust, leveraging string encryption via Base64 and subtraction algorithms, control flow flattening with randomized identifiers, and junk code insertions to disrupt reverse engineering.
Virtual environment checks target DLLs like SbieDll and cmdvrt32, alongside WMI queries for Hyper-V or VMware artifacts, while API calls to CheckRemoteDebuggerPresent ensure termination in debugged contexts, culminating in self-deletion to erase traces.
These mechanisms not only evade static analysis but also prolong operational secrecy, allowing the stealer to enumerate extensive system metadata including CPU/GPU details, RAM metrics, network configurations, installed applications, and Windows license keys before delving into high-value assets.
Exfiltration Strategies
0bj3ctivityStealer’s capabilities extend to a broad spectrum of sensitive data, prioritizing credentials from Chromium and Gecko browsers through extraction of histories, cookies, passwords, autofills, bookmarks, and credit cards.
It further infiltrates instant messaging platforms like Telegram, Signal, Tox, Discord, and Pidgin by copying encrypted files, while harvesting email credentials from Outlook, Windows Messaging via registry queries, and Foxmail through decryption akin to Masslogger techniques.
Cryptocurrency assets are a prime focus, with the malware raiding wallet directories for Zcash, Armory, Ethereum, and others, alongside browser extensions for Metamask, Phantom, and Ronin in both Chrome and Edge profiles.
Additional vectors include FileZilla credentials, WiFi profiles, and clipboard monitoring though the latter’s cryptocurrency hijacking remains unimplemented demonstrating a laptop-centric design for mobile credential theft.
Exfiltration relies on unidirectional Telegram bot communications, posting zipped data to api.telegram.org endpoints with asymmetric encryption, supplemented by dormant SMTP options using placeholders for future adaptability.
This loop-based execution ensures repeated data harvesting without command reception, amplifying breach potential.
Telemetry indicates widespread impact, with detections peaking in the US, Germany, and Montenegro across government and manufacturing sectors, underscoring opportunistic global targeting.
Mitigation demands layered defenses, including Trellix signatures like InfoStealer.MSIL.0bj3ctivityStealer and behavioral rules for PowerShell anomalies, to counter this persistent threat’s evasion and exfiltration prowess.
Indicators of Compromise (IoCs)
| Type | Value | Description |
|---|---|---|
| MD5 | 2f32e9e485b127c1bdcaf7984cc7485a | JavaScript script |
| MD5 | e7e92f9381c57673d3e9f7508059e06a | JPG Image |
| MD5 | 15b5ddb3ef4b0383ec5fc8ea2cf5c8db | .NET Loader |
| MD5 | a1a13f3ab6d19f87dd0ddb6d2384a5e2 | 0bj3ctivityStealer |
| SHA1 | 1d59bf8c488eb6f43c7b5e7164f82b164e39ec10 | JavaScript script |
| SHA1 | 10a9af58af5095195ae186b2268d25002052bf34 | JPG Image |
| SHA1 | 4c5d3468d3474816c6810599e470949f1b2a3d68 | .NET Loader |
| SHA1 | 4749ed09e04f4a9a1533413c3ba7ea72943807db | 0bj3ctivityStealer |
| SHA256 | fda1d464861ac16072605f2a390e710b18353cae798fd0ff41b67a9556fe24e2 | JavaScript script |
| SHA256 | 6fd22b60afbd013a480c096ecc4da6cc89f7e805d44fc68ec18a4be8464259b0 | JPG Image |
| SHA256 | 9ae50e74303cb3392a5f5221815cd210af6f4ebf9632ed8c4007a12defdfa50d | .NET Loader |
| SHA256 | 01db63a854c81a69f00dd3c1a6dee056f3429f078882e33bb2e06d7e48614391 | 0bj3ctivityStealer |