Security researchers have identified a new, active campaign of the Stealit malware that uses an experimental Node.js feature to infect Windows systems.
According to a report from FortiGuard Labs, threat actors are leveraging Node.js’s Single Executable Application (SEA) functionality to package and distribute their malicious payloads. This updated tactic marks a shift from previous Stealit versions that relied on the Electron framework.
The malware is being distributed through file-sharing platforms like Mediafire and Discord, disguised as installers for popular games and VPN software.
The discovery came after security analysts noticed a spike in detections of a Visual Basic script used by the malware to establish persistence on compromised machines.
The use of SEA allows the malware to run as a standalone binary without requiring a pre-installed Node.js runtime, making it a versatile distribution method for the attackers.
Stealit Malware Exploits Node.js Extensions
The operators behind Stealit are running a sophisticated Malware-as-a-Service (MaaS) business, marketing their creation on a public-facing website.
The site, which has recently moved between domains to evade takedowns, promotes Stealit as a “professional data extraction solution” and offers various subscription plans.
For approximately $500, a customer can purchase a lifetime license for the Windows version, while the Android variant is priced at around $2,000.
The website details the malware’s extensive capabilities, which include typical Remote Access Trojan (RAT) functions such as remote file access, webcam hijacking, live screen monitoring, and even a module for deploying ransomware.
The service is also promoted through a public Telegram channel, where the operators post updates and interact with potential clients, showcasing the professional and commercial nature of this cybercrime operation.
Key features advertised by Stealit operators include:
- Live screen viewing and webcam access for real-time surveillance.
- System management capabilities including remote shutdown and restart.
- Command execution through a built-in terminal interface.
- File extraction from critical directories like Desktop and Documents.
- Ransomware deployment with direct victim communication channels.
- Fake alert message generation to deceive users.
- Remote audio playback and wallpaper modification capabilities.
Sophisticated Evasion Techniques
The latest version of Stealit is engineered with multiple layers of obfuscation and anti-analysis features designed to thwart detection and hinder research. The attack begins when a user runs the initial installer.
This triggers a multi-stage process where heavily obscured scripts are decoded and executed in memory. Before deploying its main payloads, the malware conducts a series of rigorous checks to determine if it is running within a virtual machine or a security analysis environment.
It inspects system memory, CPU core count, hostnames, running processes, and registry keys for any signs of sandboxing or debugging tools.
If any such artifacts are detected, the malware immediately terminates its execution and displays a fake error message.
This robust defense mechanism allows it to remain undetected on the victim’s system before it proceeds with the installation.
Anti-analysis techniques employed by Stealit:
- Virtual environment detection through hardware and system checks.
- Process monitoring to identify debugging and analysis tools.
- Registry inspection for security software artifacts.
- Network port scanning to detect monitoring systems.
- DLL injection analysis to identify loaded security modules.
- Parent process verification to avoid researcher environments.
- Timing analysis to detect sandboxed execution environments.
Extensive Data Theft Capabilities
After successfully bypassing security checks, the malware downloads several components from its command-and-control (C2) server to carry out its primary mission of data theft.
To avoid detection by endpoint security products, it adds its installation directories to the Windows Defender exclusion list.
One of its key components, save_data.exe, utilizes an open-source tool called ChromElevator to extract sensitive information, such as saved credentials and cookies, from Chromium-based browsers.
Another module, stats_db.exe, is designed to steal data from a wide array of applications, including messengers like Telegram and WhatsApp, gaming platforms like Steam and Epic Games, and various cryptocurrency wallets.
Demonstrating their agility, the threat actors were observed reverting to the Electron framework within weeks, this time adding AES-256-GCM encryption to their scripts, indicating this is a rapidly evolving and persistent threat.
Indicators of Compromise (IoCs):
| Type | SHA256 / URL |
|---|---|
| File | 554b318790ad91e330dced927c92974d6c77364ceddfb8c2a2c830d8b58e203c |
| File | aa8f0988f1416f6e449b036d5bd1624b793b71d62889afdc4983ee21a1e7ca87 |
| File | 5ea27a10c63d0bbd04dbea5ec08fe0524e794c74d89f92ac6694cfd8df786b1f |
| File | 083c4e0ffdc9edf0d93655ee4d665c838d2a5431b8064242d93a545bd9ad761b |
| File | 432b8414113a8c14c0305a562a93ed926e77de351bac235552a59cc02e1e5627 |
| File | 8e1cf254d23e2b94c77294079336339ececf33a3e7ee1a3621ee4e0df0695ce5 |
| File | 919a2107ac27e49cdaa60610706e05edfc99bd3f2e9ca75da4feb6a5f2517c27 |
| File | e004f8e39e489dec74a13d99836ee5693bd509047ecf49f3fc14efc143a161b5 |
| File | 818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b |
| File | 8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83 |
| File | 24b3def3f374c5f17ec9f1a347c71d9c921155c878ab36e48dd096da418bf782 |
| File | c38130d7cb43cf3da4858247a751d7b9a3804183db8c4c571b6eede0590474da |
| URL | https[:]//iloveanimals[.]shop/ |
| URL | https[:]//iloveanimals[.]shop/user/login |
| URL | https[:]//root[.]iloveanimals[.]shop/download/save_data |
| URL | https[:]//root[.]iloveanimals[.]shop/download/stats_db |
| URL | https[:]//root[.]iloveanimals[.]shop/download/game_cache |
| URL | https[:]//root[.]iloveanimals[.]shop/panelping |
| URL | https[:]//root[.]stealituptaded[.]lol/download/save_data |
| URL | https[:]//root[.]stealituptaded[.]lol/download/stats_db |
| URL | https[:]//root[.]stealituptaded[.]lol/download/game_cache |
| URL | https[:]//cdn[.]discordapp[.]com/attachments/1395171942494896190/1413957011837816915/VrchatPlugin.rar?ex=68bdd195&is=68bc8015&hm=b9f359a7f75b84d1b860d2aa4dd92f8adad3a2feef5d82832f49d664a256ff7b& |
| URL | https[:]//www[.]mediafire[.]com/file/9ni7pgjxuw8pc6h/ShaderSetup.rar/file |
| URL | Https[:]//download1529[.]mediafire[.]com/8006s55pduvgtQ0THBMZxcLtlrh20a5BnfF18n8YfGUB8P7M5U3mEQb-UYYDCrMHsSG0aWvnyy_LIMg2OnTc4kuNYmWzjWLQwOds-qSfhdO03NOQFAAaYCPiOvB8nU7mBEHe-3a5gDSufW6upPbFXyGlbzBTdtpcrVPXokNKOYZ9/c4zbp39q02jvrn8/Aykadia.rar |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
