Adamantium-Thief
SoranoStealer
Our great sponsors
| Adamantium-Thief | SoranoStealer | |
|---|---|---|
| 1 | 2 | |
| 726 | 16 | |
| - | - | |
| 0.0 | 10.0 | |
| over 1 year ago | over 4 years ago | |
| C# | C# | |
| - | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Adamantium-Thief
-
Russian Phishing campaign targets YouTube creators with cookie theft malware
We have observed that actors use various types of malware based on personal preference, most of which are easily available on Github. Some commodity malware used included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad (Google’s naming), and Kantal (Google’s naming) which shares code similarity with Vidar. Open source malware like Sorano and AdamantiumThief were also observed. Related hashes are listed in the Technical Details section, at the end of this report.
SoranoStealer
-
Show HN: Device-Bound Session Tokens in JavaScript
httponly cookies are meant to prevent attacks like XSS by preventing access to them from client-side JS. However, they can still be stolen by malware on the device (there's a whole class of them called "cookie stealers"). Generally, they search through the infected machine's filesystem and pull out any cookies they find, or at least cookies that the attacker would be interested in. No client-side JS is required for this, so the httponly attribute doesn't help. There have also some browser extension-based cookie stealers that may work along similar principles. Take a look at this old open source stealer to get a sense of how they work: https://github.com/Alexuiop1337/SoranoStealer/tree/master/So...
Session-Lock and Chrome's DBSC are designed to combat these cookie stealers specifically. The premise is that even if an attacker exfiltrates the token itself, it would not be able to be used because the server would reject it if it is not signed by the correct private key when the network request is made. This private key can (or should) only exist on the legitimate device, not the attacker's machine. There may or may not be ways to extract the private key as well, but in any event, it would be a much more complicated attack.
-
Russian Phishing campaign targets YouTube creators with cookie theft malware
We have observed that actors use various types of malware based on personal preference, most of which are easily available on Github. Some commodity malware used included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad (Google’s naming), and Kantal (Google’s naming) which shares code similarity with Vidar. Open source malware like Sorano and AdamantiumThief were also observed. Related hashes are listed in the Technical Details section, at the end of this report.
What are some alternatives?
NoMoreCookies - Browser Protector against various stealers, written in C# & C/C++.
Attune-Install-Brave-Browser - Contains the online and offline IT Automated installation procedures for Brave Browser
teardrop - Open-Source Ransomware Project for learning purpose only written in C# (csharp). Dont use it for bad things.
AOL_4.0_Emu - Emulating AOL 4.0
Stealerium - Stealer + Clipper + Keylogger
Umbral-Stealer - Umbral Stealer is a fast, lightweight stealer written in C#. The collected data is transferred through discord webhooks.
Browser-Info-Passing - Grab Browser Usernames And Passwords