Cyber threats continue to evolve and one of the latest emerging threats identified by the CYFIRMA research team is the Angry Stealer malware.
This infostealer has been found to be actively advertised on several online platforms, including Telegram, which expands its reach and makes it available to a wide audience of potential attackers.
Angry Stealer is a sophisticated malware that attacks a wide range of sensitive information using advanced techniques and rebranding tactics. It is based on the previously identified Rage Stealer and shares nearly identical code, behavior, and functionality.
Stepasha.exe and MotherRussia.exe payloads attack any system
Angry Stealer is deployed via a dropper binary, a 32-bit Win32 executable written in .NET, designed to run two main payloads: “Stepasha.exe” and “MotherRussia.exe”. The main payload, Stepasha.exe, functions as the core of Angry Stealer’s operation, focusing on stealing sensitive information. This includes browser data (passwords, cookies, and autofill information), cryptocurrency wallet details, system information, VPN credentials, Discord tokens, and more. The data is then exfiltrated to a remote server via Telegram, using hardcoded credentials and bypassing SSL validation to ensure successful data transmission.
The secondary payload, MotherRussia.exe, serves as a tool for creating further malicious executables. This creation tool allows attackers to generate custom malware, which could facilitate remote desktop access or additional interactions with bots. The dual-payload approach not only expands the scope of data theft, but also enables the creation of bespoke malware, tailored to specific targets or attack scenarios.
Upon execution, Angry Stealer infiltrates the victim’s computer and begins systematically collecting sensitive data. It specifically targets popular web browsers using a multi-threaded approach, allowing it to collect data from multiple browsers simultaneously, extracting passwords, credit card details, cookies, auto-fill data, bookmarks, running processes, screenshots, and system specifications. The malware organizes this stolen data into a designated directory located at C:UsersUsernameAppDataLocal44_23, where it creates subdirectories for different types of information.
Once the browser paths have been scanned to gather valuable information, the malware imposes size limits on the files it copies to avoid detection. Furthermore, Angry Stealer is able to access user files from key directories such as Desktop and Documents, targeting personal documents and data that may be of interest to attackers.
Additionally, it can determine the system's IP address, geolocation, and network-related data, providing attackers with comprehensive information about the victim's environment. This data-gathering capability allows attackers to tailor their subsequent actions based on the specific characteristics of the infected system.
To effectively combat the threat posed by Angry Stealer and other similar malware, organizations must implement a multi-layered security approach. Key strategies include deploying robust endpoint security solutions capable of detecting and blocking malicious activities associated with information stealers, and ensuring that operating systems, applications, and security software are regularly updated to fix vulnerabilities that could be exploited.
Additionally, implementing network segmentation can help limit the movement of malware within the network, reducing the risk of widespread data theft. Organizations should also conduct comprehensive employee training programs to raise awareness about phishing threats and safe online practices. Finally, having an up-to-date incident response plan is critical to quickly addressing potential malware infections, minimizing damage, and facilitating the recovery of affected systems.
