Emerging Threats: New Malware Targets Crypto Wallets and Data

A new malware-as-a-service information stealer named SantaStealer is being promoted on Telegram and hacker forums. According to security researchers at Rapid7, SantaStealer operates in memory to avoid file-based detection and is a rebranding of the earlier BluelineStealer project.

The malware is available for a Basic subscription of $175 per month and a Premium subscription for $300 per month. Rapid7 analyzed several samples and accessed the affiliate web panel, revealing multiple data-theft mechanisms, although the malware does not fully live up to its advertised capabilities for evading detection and analysis.

The research indicates that SantaStealer is developed by a Russian-speaking developer, and its samples have been found to include visible symbol names and unencrypted strings, suggesting poor operational security.

The user-friendly design of the affiliate panel allows customers to configure builds targeting specific data types, including browser data, cryptocurrency wallet information, and screenshots of the user’s desktop.

SantaStealer utilizes 14 distinct data-collection modules that operate in their own threads, archiving stolen data into ZIP files for exfiltration in 10MB chunks to a command-and-control endpoint via port 6767.

It can collect passwords, cookies, browsing history, and saved credit cards, among other data. Currently, it is unclear how the malware will be distributed as it hasn't been released widely. However, cybercriminals may use ClickFix attacks, phishing, or deceptive tactics to spread it.

Rapid7 advises users to be cautious with unknown email links and attachments and warns against running unverified code from public repositories for extensions.