Angry Stealer Malware - A Sophisticated Data Theft Tool on the Rise

Angry Stealer Malware - A Sophisticated Data Theft Tool on the Rise

Threat Group: Unknown
Threat Type: Info-stealing malware
Exploited Vulnerabilities: User accounts, browser data, cryptocurrency wallets
Malware Used: Stepasha.exe, MotherRussia.exe
Threat Score: High (8.0/10) — Due to its ability to exfiltrate sensitive data stealthily via Telegram and the comprehensive data it targets.
Last Threat Observation: September 2024, observed across multiple security platforms.


Overview

Angry Stealer is a rebranded variant of Rage Stealer, which targets sensitive user data, including credentials, browser history, cryptocurrency wallets, and more. It leverages the Telegram API for exfiltrating data, making it harder to detect. This malware is actively promoted via underground forums and Telegram channels, sold for $150–$250.

Key Details:

  • Primary Components:
    • Stepasha.exe: Collects a range of sensitive information.
    • MotherRussia.exe: Used to create additional malicious files.
  • Data Collected:
    • Browser data, including login credentials and autofill information.
    • Banking and cryptocurrency wallet data.
    • Data from VPNs, Discord, and the Telegram app.
    • FTP client credentials, especially from FileZilla.
  • Exfiltration Method: Utilizes the Telegram API to send stolen data to a remote server. This technique bypasses many detection mechanisms, as Telegram is often whitelisted.

Attack Vectors:

Angry Stealer spreads primarily through phishing emails with malicious links or attachments, fake software downloads, and pirated content. Social engineering tactics are also used to lure victims into executing the malware on their systems. Once installed, it stealthily collects and compresses data into a ZIP archive and uploads it via Telegram.

Indicators of Compromise (IoCs):

  • MD5 Hashes:
    • e1c9341433aafb571a96e49985186311 (Rage Stealer)
    • 56a579cb88eb4bb93a45b163ab9825d8 (Angry Stealer Dropper)
    • 08C3CB87AA0BF981A3503C116A952B04 (Builder Component)
  • SHA-256 Hashes:
    • a1a6920b3aebaa71f88a202adc24ff85b28ca4b8518f1f868586104658997175 (Rage Stealer)

Mitigation and Prevention:

  • Email Vigilance: Avoid clicking on suspicious links or opening unknown attachments.
  • Download Only from Trusted Sources: Ensure software is downloaded from reputable sources to prevent drive-by downloads.
  • Update Software Regularly: Keep operating systems and security tools up-to-date.
  • Enable Multi-Factor Authentication (MFA): Strengthen account security by enabling MFA wherever possible.
  • Deploy Antivirus Solutions: Use reputable antivirus programs to regularly scan systems and detect malware.

Conclusion:

Angry Stealer is a significant and evolving threat. Its use of the Telegram API for data exfiltration, along with its widespread marketing on social media, highlights the increasing sophistication of info-stealing malware. Organizations should strengthen email filtering, ensure regular patching, and educate users on phishing attacks to mitigate this threat effectively.


Sources:

  • CYFIRMA - A Comprehensive Analysis of Angry Stealer: Rage Stealer in a New Disguise
    CYFIRMA
  • PCrisk - Angry Stealer Malware Overview
    PCrisk
  • Cyclonis - Angry Stealer: The Malware Targeting Your Personal Data
    Cyclonis
  • BugsFighter - How to Remove Angry Stealer
    BugsFighter