Self Assessment

ASTRAL STEALER ANALYSIS

Published On : 2025-01-30
Share :
ASTRAL STEALER ANALYSIS

EXECUTIVE SUMMARY

At CYFIRMA, we are dedicated to providing timely insights into emerging threats and tactics used by cybercriminals targeting individuals and organizations. This report explains the skills of the powerful Astral Stealer v1.8. A powerful stealer coded in Python, C#, and JavaScript, it is a malicious tool with abilities such as gaming and data theft (compromising accounts like Steam, Roblox, and Minecraft), while stealing browser credentials, cookies, clipboard data, and history. This stealer conducts crypto wallet exploitation by harvesting sensitive data from cryptocurrency wallets (e.g., Ethereum, MetaMask) and extensions. While avoiding detection through anti-debugging, VM bypass techniques, and customizable configurations.

INTRODUCTION

The “Astral Stealer” is an advanced malware tool designed to steal sensitive information, evade detection, and maintain persistence on compromised systems. Written in Python, C#, and JavaScript, it incorporates techniques like credential dumping, browser injection, and data exfiltration via webhooks, and is publicly available on GitHub, allowing attackers to exploit features, such as anti-VM detection, registry modifications, and system information discovery.

Astral Stealer also offers advanced capabilities that can be enabled for an additional payment, such as viewing backup codes, auto-changing email, and an anti-delete system that reinstalls after Discord uninstallation or updates. It also supports reinstallation of Discord injections, logs newly added credit cards and passwords, and extracts data from VPNs, cryptocurrency extensions, and other targeted platforms.

Astral Stealer developer has used Guna.UI DLL-driven tools to design the builder which is highly customizable, visually appealing, and user-friendly with multiple selection options.

Key Capabilities Outlined in The Following Mind Map

ANALYSIS

File Name main1.exe
File Size 58.49 Mb
Signed The file is not Signed
MD5 Hash 89fc006be2727c96ad682a0b17df0c2d
SHA256 Hash 9d2a557369a79c350bd35bf6b44d14fd69b3d247f7120be6c28694c786a82d35

Fake Error Feature

Defense Evasion: Masquerading

The method thiefcat_DoAFakeError is designed to produce a false message, in the eventuality attribute fake_error is set to “yes”. It is implemented by the function Windows MessageBoxW to display an error message with a made-up code (Windows_0x786542), a generic failure message.

This tactic is used by hackers to:

  • Distract the user and divert attention from hidden activities that are executed behind the scenes.
  • Create a false sense of system malfunction to delay the user’s response or investigation.

Hides Itself in the Background

Defense Evasion: Hide window
The thiefcat_HideYourself function is used in the script to hide the executing process from the user’s view. If the self.hide attribute is set to “yes,” it retrieves the window handle of the current foreground application and hides it. Additionally, it opens the process with all access rights and sets its priority to “below normal” to minimize its impact on system performance and evade detection.

Configuring the malware to run at startup

Persistence: Registry run keys / Startup folder
The thiefcat_AddStartup function adds the Astral stealer executable to the Windows Startup folder to ensure it runs automatically whenever the system starts to maintain its foothold on compromised systems without user intervention. It retrieves the current executable path and copies it to the Startup directory, and if a previous copy of the file already exists in that location, it removes it before copying the new one.

Anti-VM

Defense Evasion: Obfuscated files or Information | Virtualization/sandbox evasion & collection: System information discovery

  • The AntiDebugg class is designed to improve security by detecting potential debugging or virtual machine environments.
  • During initialization, it fetches blocked programs, PC names, hardware IDs, and IP addresses from JSON files hosted online, creating three synchronized threads to execute checks using the last_check, keys_regex, and Check_and_Spec methods.
  • The last_check method verifies specific file paths and compares user, PC name, and network information against blocked lists.
  • The Check_and_Spec method evaluates system resources, such as memory, storage space, and CPU count.
  • If any checks indicate a warning, the program sets the inVM flag to True, signalling that it should terminate to avoid unauthorized execution.
  • If the inVM attribute is False, it indicates that the AntiDebugg class has not detected any signs of a virtual machine or debugging environment. In this case, the program continues its normal operations, allowing it to execute without restrictions.

Chrome Extensions Injector

Execution: User execution and Persistence: Browser extension

  • Configuration Check and Process Termination: The code first verifies if Chrome injection is enabled and terminates any running instances of targeted browsers to prevent conflicts during the installation of malicious extensions.
  • Fetching and Extracting Extensions: It downloads a ZIP file containing the malicious extensions from a GitHub repository and extracts its contents to prepare for installation.
  • Modifying Extension Files: The code modifies key JavaScript files (background.js) within the extensions to replace placeholders with specific API URLs or webhooks, facilitating communication with the attacker’s server.
  • Altering Browser Shortcuts: It updates browser shortcuts to load the injected extensions automatically upon startup, ensuring that the malicious code executes every time the user opens the browser, thus compromising user data.

Discord Injection

Defense Evasion: Process injection

  • Configuration Check: The process begins by verifying if Discord injection is enabled through the AEZRETRYY5 configuration value.
  • Discord Path Discovery: The code searches the user’s AppData directory for ” discord ” directories to locate the relevant application paths.
  • Module and Injection Path Identification: It identifies application paths matching the app-(version) pattern and checks for a “modules” subdirectory for potential injections, specifically looking for names related to coresecretname.
  • Injection Process: If an index.js file is found, the code fetches a malicious script from a URL (core_asar), modifies it with specific values (like API links and creator names), and writes it to the index.js file.
  • Optional Discord Termination: If specified in the configuration (killdiscord_config), the code attempts to terminate the Discord process to apply the injection without conflicts.

Process Kill

Defense Evasion: Terminate the process
The below code defines a method called kill_process, which is designed to terminate a specific process by its name.

  • Process Duplication and Name Check: The method iterates through all running processes and checks if each process’s name matches the specified process_name.
  • Process Termination: If a match is found, the method attempts to terminate the process using proc.kill().
  • Error Handling: It handles exceptions like NoSuchProcess, AccessDenied, and ZombieProcess, allowing the method to continue without interruption if errors occur.

Extracting Cryptocurrency Wallet Data and Extensions for Unauthorized Access

Credential access
The thiefcat_GetWallet function is designed to extract cryptocurrency wallet data from various applications and browsers. It first checks if cryptocurrency data has been found and sets up directories for different wallet types, like Zcash and Exodus, iterating through specified wallet directories to copy their contents. Additionally, it searches for browser extensions related to cryptocurrency wallets in the user data directories of several browsers, copying any found extensions to the specified wallet directory, enabling the theft of sensitive wallet information.

Bypass Discord Token Protector and Better Discord

Defense Evasion: Disable or modify tools and modify the authentication process

Developers use the below two functions to manipulate and bypass protections related to Discord applications.

thiefcat_BypassTokenProtector function disables and bypasses the Discord Token Protector tool, which is designed to secure Discord tokens. It then locates the directory and configuration file of Discord Token Protector, deleting key components to disable the protector (DiscordTokenProtector.exe, ProtectionPayload.dll, secure.dat), and reads and modifies the config.json file by disabling integrity checks, adjusting encryption parameters, (adding a malicious marker). Finally, it writes the altered configuration back to the file.

thiefcat_BypassBetterDsc is used for tampering with the BetterDiscord application, a customization tool for Discord, that locates the betterdiscord.asar file, a critical resource file for BetterDiscord, reads the file content, replaces specific text with a malicious marker (NotKSCH58_goat), and additionally writes the modified content back.

Grab Screenshot and System information

Collection: Screen capture and system information discovery
The thiefcat_TakeScreenshot function capture the screen’s contents using the ImageGrab.grab() method and saves it as “Screenshot.png” in a “Systeme” directory.

The thiefcat_GetSysInfo collects detailed system and user information, including the Windows key, version, RAM, disk storage, hardware ID, IP address, geographic location, organisation, Google Maps link, and system language. The data is saved as a plain text file (“System_Info.txt”) in the “Systeme” directory.

Disable Windows Defender

Defense Evasion: Disable or modify tools
The function begins by checking the self.disablemydefender attribute to see if the user wishes to disable Windows Defender; if not set to “yes,” it exits without changes. If the preference is confirmed, it creates a base64-decoded command to execute multiple PowerShell commands that disable key Windows Defender features. These include turning off the Intrusion Prevention System, IOAV protection, real-time monitoring, and script scanning, along with disabling Controlled Folder Access and setting Network Protection to audit mode. The command also adds specific user directories to the exclusion list and excludes files with the .exe extension from scanning, allowing malware to operate undetected.

AntiVirus Detection

Discovery: File and Directory Discovery
The thiefcat_GetAntiVirus function retrieves installed antivirus products by first checking if self.Found_AV is “yes”, if not, it exits, executing a WMIC command to query the local machine for antivirus software and captures the output. If successful, it processes the output to extract the antivirus names and writes them to “Anti Virus.txt” in the specified directory (self.dir/Systeme). This function helps gather information on the system’s antivirus installations for further use.

Steal Wifi Password

Credential Access: Credentials from web browsers
The function extracts stored Wi-Fi profiles and passwords using Functions.NotKSCH58findwifi(), formatting them with SSID and password details and saving them to a file named Wifi Info.txt in the “Systeme” directory. It appends metadata and separators for clarity, and increments a counter for the number of retrieved Wi-Fi networks.

Grab Clipboard Data

Collection: Clipboard data
The NotKSCH58findClipboard function retrieves the clipboard’s current contents using a PowerShell command. The thiefcat_GetClipboard method validates if clipboard monitoring is enabled, saving the retrieved data to a file named Latest ‘Clipboard.txt’ in a specified directory.

USB Connection Status

Discovery: Hardware inventory
The NotKSCH58findDevices function executes a PowerShell command to retrieve information about currently connected USB devices. It uses subprocess.run() to run the command and captures the output if successful. The thiefcat_GetAllUSB method first checks if USB monitoring is enabled (self.Found_Sys == “yes”), then creates a directory for storing device information, and writes the output from NotKSCH58findDevices to a text file named “Devices Info.txt.

Steal Browser Passwords / Cookies / History / Bookmarks / Credit card information

Credential Access: Credential dumping & Collection: Data from information repositories

  • Browser Data Extraction: The various methods (thiefcat_browsers4, thiefcat_browsers1, thiefcat_GetGoogle2, thiefcat_GetGoogle1, thiefcat_browsers3, thiefcat_browsers2, thiefcat_browsers5, and thiefcat_GetGoogle3) are designed to extract sensitive data (passwords, bookmarks, history, credit card information) from different web browsers, primarily focusing on Chrome and Firefox.
  • Conditional Execution: Each method begins with a check (if self.Found_Browsers != “yes”) to ensure that browser data can only be extracted if the application has successfully detected any installed browsers. If no browsers are found, the method exits early.
  • Database Handling: The methods typically involve copying the relevant database files (like “Login Data,” “History,” “Web Data,” etc.) to a temporary location. This allows the application to connect to the SQLite databases and execute queries to retrieve stored data without disrupting the original files.
  • Data Decryption: The decrypt_value function is designed to decrypt encrypted passwords using AES encryption in GCM mode with a specified master key. It extracts the initialization vector (IV) from the input buffer, decrypts the payload, and returns the decoded password. For handling sensitive data, such as passwords and credit card information, the code employs a method (self.value_decrypt) to ensure that encrypted values are securely decrypted and stored in a human-readable format.
  • Data Storage: Extracted data is written to text files (e.g., “Passwords.txt,” “Bookmarks.txt,” “History.txt,” “CC.txt”) in the specified output directory. The methods append to these files, allowing cumulative data collection over multiple runs.

Data Exfiltration over Webhook

Exfiltration: Exfiltration over command and control channel & Exfiltration over web service

  • File Upload (Upload_Path): This method checks if a file exists at the specified path, reads its content as binary, and uploads it to Gofile.io. If successful, it returns the download link for the uploaded file.
  • Text File Management (finished_bc): The method repeats through text files in a specified directory. It removes any empty files and appends predefined metadata to the non-empty files before saving them.
  • ZIP File Creation: It creates a ZIP archive of the specified directory’s contents, compressing all files found. This ZIP file is named based on system specifications and is stored in a designated app data directory.
  • Metadata Compilation: The code compiles statistics about files, such as their count and names, and gathers token data from a predefined list, formatting this information for inclusion in an embedded message.
  • Webhook Notification: An embedded message containing system and file information is constructed and sent to a specified webhook. If the ZIP file exceeds 8 MB, a message with a download link is sent instead of the file.

Modifies Registry keys

Defense Evasion: Indicator removal on host
‘HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Circular Kernel Context Logger\Status’ to 0 disables the Circular Kernel Context Logger (CKCL) in Windows, preventing the collection of important system performance and diagnostic data, making it harder for security tools or administrators to detect malicious activities or troubleshoot system issues. By suppressing kernel-level logs, the stealer may avoid leaving traces of their actions. This tactic could be used to make it more difficult to analyze or reverse-engineer the attack.

Defense Evasion: Time Manipulation
‘HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config\LastKnownGoodTime’ to a manipulated binary value (\x1e\xb2 \xd8\x08i\xdb\x0) disrupts the Windows Time Service which could cause the system to use an incorrect fallback time, potentially leading to time synchronization issues. Time manipulation can interfere with logs, scheduled tasks, and security mechanisms. It may be used by attackers to evade detection by altering timestamps.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

The developer has made “Astral Stealer” publicly available on GitHub and the malware is coded in Python, C#, and JavaScript, and the developer claims that it is a fork of Hazard Grabber and Wasp-stealer.

The developer, who claims to be from France, maintains a Twitch account (a platform widely recognized for live-streaming gaming content) and has referenced this connection on their GitHub profile. Furthermore, their YouTube channel features numerous live streams of gaming sessions, indicating a potential influence from gaming.

The source code reveals multiple modifications by other users indicating the involvement of multiple developers in its creation and updates.

The developer behind “Astral Stealer” is the same individual who previously worked on projects like “Yunit Stealer” and “Piro Sentinel Stealer,” suggesting continuity in their involvement with malicious software development – [https://www.cyfirma.com/research/yunit-stealer/]

All of the developer’s other Discord and Telegram channels have been closed, except one remaining Telegram channel, “Piro Sentinel.” However, there have been no discussions or updates since September.

Diamond Model

MITRE ATTACK FRAMEWORK

Tactic Technique ID Technique
Credential Access T1003 Credential Dumping
T1550.004 Steal Application Access Tokens
T1552.001 Unsecured Credentials
T1056 Input Capture
T1555.003 Credentials from Web Browsers
T1555 Credentials from Password Stores
T1071.001 Application Layer Protocol: Web Protocols
Execution T1203 Execution through API
T1203 User Execution
Discovery T1018 Remote System Discovery
T1082 System Information Discovery
T1069 Hardware Inventory
T1057 Process Discovery
T1016 System Network Configuration Discovery
T1083 File and Directory Discovery
T1518.001 Security Software Discovery
Defense Evasion T1070 Indicator Removal on Host
T1070.006 Hide Window
T1036 Masquerading
T1556.002 Modify Authentication Process
T1070.004 Indicator Removal on Host
T1027 Obfuscated Files or Information
T1497 Virtualization/Sandbox Evasion
T1562 Disable or Modify Tools
T1562.001 Terminate Process
T1070.003 Time Manipulation
Persistence T1547.001 Registry Run Keys / Startup Folder
T1176 Browser Extension
Collection T1113 Screen Capture
T1082 System Information Discovery
T1115 Clipboard Data
T1005 Data from Local System
T1213 Data from Information Repositories
Command and Control T1071 Application Layer Protocol
Exfiltration T1041 Exfiltration Over Command-and-Control Channel
T1071 Exfiltration Over Web Service

CONCLUSION

The “Astral Stealer” malware, publicly available on GitHub, showcases the developer’s advanced skills in creating multi-functional malicious tools, integrating techniques for credential access, persistence, defense evasion, and exfiltration. The malware’s wide array of features, including anti-VM detection, browser injection, and system data theft, demonstrates its comprehensive design for stealth and data theft. The involvement of multiple developers highlights a collaborative effort to refine its capabilities. The developer’s past involvement in similar projects like “Yunit Stealer” and “Piro Sentinel Stealer” reflects a pattern of malicious software creation.

RECOMMENDATIONS

Strategic Recommendations:

  • Threat Intelligence Integration: Continuously monitor and incorporate threat intelligence feeds into your organization’s cybersecurity framework to stay updated on emerging threats like Astral Stealer.
  • Incident Response Planning: Develop and maintain a robust incident response plan that includes handling sophisticated malware attacks targeting sensitive data and credentials.
  • Collaboration with Industry Groups: Partner with cybersecurity communities, CERTs, and government agencies to share intelligence and best practices for mitigating threats posed by advanced stealers.

Management Recommendations:

  • Employee Awareness and Training: Conduct regular awareness programs to educate employees about phishing tactics, malware risks, and the importance of safe browsing habits.
  • Access Management: Implement strict access controls, applying the principle of least privilege (PoLP) to limit exposure to critical systems and sensitive data.
  • Vendor and Third-Party Risk Assessment: Evaluate third-party software, plugins, and extensions for potential vulnerabilities that could be exploited by malware like Astral Stealer.
  • Backup Policy Enforcement: Ensure regular and secure backups of critical data to enable recovery in case of data exfiltration or ransomware attacks.

Technical Recommendations:

  • Endpoint Protection and Monitoring: Deploy advanced endpoint detection and response (EDR) tools to monitor, detect, and mitigate malware activities such as process injection and registry modifications.
  • Browser and Extension Hardening: Disable unnecessary browser extensions, enforce the use of vetted plugins and restrict downloads from untrusted sources.
  • Behavioral Analytics: Leverage machine learning-based tools to detect anomalous behavior, such as unauthorized data access or system modifications, indicative of malware activities.
  • Anti-Phishing Mechanisms: Employ email filters, sandboxing, and DNS filtering to block phishing attempts that distribute malware like Astral Stealer.
  • Credential Hygiene: Enforce multi-factor authentication (MFA) and encourage users to avoid reusing passwords across platforms.

INDICATORS OF COMPROMISE

Sr. No. Indicator Type Remarks
1 efc7d1c751f012fba719f8e5e952046d7e5314d1fcb60344a19844a114b87c08 Sha256 Builder
2 07ff2b577637c00eefaed7a6eb54f81fa5514680474b556e3ee683969c92ee47 Sha256 Stealer-Python
3 9d2a557369a79c350bd35bf6b44d14fd69b3d247f7120be6c28694c786a82d35 Sha256 Stealer-exe