ObserverStealer To AsukaStealer: Evolution Of Infostealer MaaS


Researchers at Cyble recently found the Malware-as-a-Service Infostealer ObserverStealer operating under a new identity. The ObserverStealer was rebranded and revamped as AsukaStealer in 2024, leveraging a sophisticated Malware-as-a-Service (MaaS) model.

Inspired and based on the ObserverStealer from 2023, the AsukaStealer posed new capabilities, features, and the same addition of extensions, browsers, and files users wished to collect.

AsukaStealer, promoted by its creators, offered a range of features showcased through multiple screenshots extracted from the Command and Control (C&C) panel, demonstrating its capabilities as a stealer malware.

Priced at $80 for a one-month subscription, it provided flexible settings and a web panel interface for ease of use.

Introduction to AsukaStealer: A Malware-as-a-Service Infostealer

Source: Cyble

According to Cyble Research & Intelligence Labs (CRIL), the threat actor marketed AsukaStealer as a MaaS (Malware-as-a-service) on a Russian-language forum, offering a comprehensive suite of capabilities aimed at clandestinely pilfering sensitive information from unsuspecting victims.

AsukaStealer infostealer
Source: Cyble

At its core, AsukaStealer is a meticulously crafted piece of malware, predominantly coded in C++ and equipped with a web-based (GUI) panel for flexible configuration and control.

The malware’s primary objective revolved around harvesting a plethora of sensitive data from targeted systems.

AsukaStealer dashboard and cutomized browser settings
Source: Cyble

From browser credentials and Discord tokens to cryptocurrency wallets and desktop screenshots, AsukaStealer left virtually no stone unturned in its quest for valuable information.

ObserverStealer
Source: Cyble

The AsukaStealer was first observed on February 2, 2024, operating under a Malware-as-a-Service model. Symantec identified this threat as File-based: Infostealer Trojan.Gen.MBT, Machine Learning-based: Heur.AdvML.B, and Web-based: Observed domains/IPs were covered under security categories in all WebPulse-enabled products.

Analyzing the AsukaStealer Code 

AsukaStealer Code
Source: GitHub

Upon analyzing the AsukaStealer_configuration.txt file, The Cyber Express found that the configuration code referred to a configuration or setup script for the tool for grabbing or downloading content, potentially for Discord, browsers, or gaming platforms like Steam.

It contained paths for various browsers’ user data directories, Discord installation paths, and even some game-related directories like Steam and Battle.net. Additionally, it included references to specific files and DLLs, suggesting some sort of manipulation or interaction with these files.

AsukaStealer codes and configurations
Source: GitHub

The latter part of the code seemed to involve file paths and patterns related to specific applications and their data storage locations, possibly for extraction or manipulation purposes.

The code seemed to be a script designed to locate and interact with various files and directories related to web browsers, gaming platforms, and other applications, potentially for the purpose of data extraction.

The Resurgence of ObserverStealer: Revealing the Connection

ObserverStealer
Source: Cyble

Upon closer examination, it became apparent that AsukaStealer bore a striking resemblance to its predecessor, ObserverStealer, which was closed by the operators on July 19, 2023. 

Detailed research revealed overlapping features, operational methodologies, and even shared infrastructure between the two malware variants.

This led cybersecurity experts to speculate on the involvement of the same threat actors orchestrating both campaigns, indicative of a concerted effort to continually refine and proliferate their malicious tools.

The operational dynamics of AsukaStealer offered valuable insights into the modus operandi of modern cybercriminal enterprises.

The malware’s promoters touted its versatility, highlighted by a plethora of customization options and seamless integration with popular browsers and messaging platforms.

Moreover, the strategic utilization of anime-themed imagery, particularly referencing the character Asuka Langley Soryu from Neon Genesis Evangelion, brought back to our story of how threat actors engaged and got inspired by Japanese anime and manga.

Media Disclaimer: This report was based on internal and external research obtained through various means. The information provided was for reference purposes only, and users bore full responsibility for their reliance on it. The Cyber Express assumed no liability for the accuracy or consequences of using this information.





Source link