A new information stealer named ExelaStealer has become the latest entrant into an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems.
“ExelaStealer is a massive open-source infostealer, with paid customizations available from threat actors,” James Slaughter, researcher at Fortinet FortiGuard Labs, said in a technical report.
Written in Python and incorporating support for JavaScript, it comes equipped with capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard contents.
ExelaStealer is offered for sale through cybercrime forums as well as a dedicated Telegram channel set up by its operators who go by the online alias quicaxd. The paid version costs $20 per month, $45 for three months, or $120 for a lifetime license.
The low cost of commodity malware makes it an ideal hacking tool for newcomers, effectively lowering the barrier of entry to carry out malicious attacks.
The stealer binary, in its current form, can only be compiled and packaged on Windows-based systems using a builder Python script, which throws the necessary source code obfuscation into the mix in an effort to resist analysis.
There is evidence to suggest that ExelaStealer is being distributed via an executable that masquerades as a PDF document, indicating that the initial intrusion vector could be anything from phishing to watering holes.
Upon launching the binary an attractive document is displayed – a Turkish vehicle registration certificate for the Dacia Duster – while the stealer silently activates in the background.
“Data has become a valuable currency and because of this, efforts to collect it will never stop,” Slaughter said.
“Infostealer malware exfiltrates data belonging to corporations and individuals that can be used for blackmail, espionage, or ransom. Despite the number of infostealers in the wild, ExelaStealer shows there is still room for new players to emerge and gain traction.”
The disclosure comes as Kaspersky revealed details of a campaign that targets government, law enforcement, and non-profit organizations to drop several scripts and executables at once to conduct cryptocurrency mining, steal data using keyloggers, and gain backdoor access to systems.
“The B2B sector remains attractive to cybercriminals, who seek to exploit its resources for money-making purposes,” the Russian cybersecurity firm said, noting that most of the attacks were aimed at organizations in Russia, Saudi Arabia, Vietnam, Brazil, Romania, the U.S., India, Morocco, and Greece.
Earlier this week, U.S. Cybersecurity and intelligence agencies released a joint advisory outlining the phishing techniques malicious actors commonly use to obtain login credentials and deploy malware, highlighting their attempts to impersonate a trusted source to realize their goals.
