The Evolution Of Advanced Crypto Threat


A new information stealer has entered the dark web markets. Dubbed “Xehook Stealer,” this .NET-based malware, meticulously crafted to target Windows operating systems, boasts incredible features to target unsuspecting victims. 

Its capabilities, uncovered through analysis by the Cybersecurity Research and Intelligence Laboratory (CRIL), revealed a sophisticated tool designed to infiltrate and extract sensitive data, particularly focusing on cryptocurrencies and 2FA extensions.

Evolution and Origins of Xehook Stealer

Xehook Stealer’s background traces back to the underground cybercrime forums, with roots embedded in the Cinoshi project, initially reported by CRIL in March 2023. 

Source: Cyble

Operating under the guise of Malware-as-a-Service (MaaS), the Cinoshi project offered a free stealer and web panel, laying the groundwork for what would later remodel into more advanced information stealer.

The emergence of Agniane Stealer in August 2023 marked a crucial turning point, with evident ties to the Cinoshi project reflected in its inception notes and operational patterns. 

Xehook Stealer
Source: Cyble

According to CRIL, a cybercriminal entity, under the alias “thx4drugs,” introduced Xehook Stealer on a notorious cybercrime forum in January 2024. 

The reveal marked a culmination of efforts to refine and enhance the capabilities inherited from its predecessors. Noteworthy was the seamless integration with Telegram for real-time notifications, highlighting a meticulous approach to operational efficiency.

Technical Insights into the Information Stealer

Investigating into the technical intricacies of Xehook Stealer reveals a multifaceted tool designed with precision and efficiency in mind. 

Xehook Stealer, information stealer
Source: Cyble

The malware’s architecture, coded in .NET, facilitates dynamic data collection from Chromium and Gecko-based browsers, leveraging over 110 cryptocurrencies and 2FA extensions.

Furthermore, Xehook Stealer’s adaptability shines through its support for diverse desktop cryptocurrency wallets, coupled with a recursive file grabber for targeted data extraction.

Xehook Stealer
Source: Cyble

A closer examination of Xehook Stealer’s distribution channels revealed SmokeLoader binaries as common vectors, indicating an active propagation strategy adopted by threat actors. 

Xehook Stealer code
Source: Cyble

The code overlaps observed with Agniane Stealer further substantiate the evolutionary lineage, suggesting a progressive refinement of capabilities over time.

Functional Overview and Modus Operandi

Xehook Stealer’s functionality extends beyond mere data collection, encompassing a spectrum of features aimed at maximizing operational efficacy.

The inclusion of an API for custom traffic bots highlights a strategic pivot towards automation, streamlining illicit activities for threat actors. 

Moreover, the capability to recover dead Google cookies adds a layer of sophistication, ensuring persistent access to valuable user credentials.

Xehook Stealer detection
Source: Cyble

To evade detection, Xehook Stealer employs multiple stealth techniques, meticulously crafted to outsmart conventional security measures.

The malware’s time-based restriction mechanism, coupled with language-based checks, serves as a robust defense mechanism against analysis environments, thwarting attempts at reverse engineering.

Furthermore, Xehook Stealer leverages process injection techniques to infiltrate target systems, evading traditional detection mechanisms. 

The malware’s ability to dynamically adapt to target environments, coupled with its evasion tactics, poses a challenge to cybersecurity professionals trying to decode its functionalities. 

Xehook Stealer’s modus operandi revolves around targeted data extraction, meticulously tailored to maximize the yield of sensitive information. 

From passwords and cookies to autofill data and credit cards, the malware leaves no stone unturned in its quest for valuable assets. 

The inclusion of a file grabber module further amplifies its capabilities, enabling threat actors to harvest specific file formats from user directories.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.



Source link