The Zscaler ThreatLabz team has discovered a new information stealer family called Agniane Stealer. This malware is designed to steal credentials, system information, and session details from browsers, tokens, and file transferring tools. It specifically targets cryptocurrency extensions and wallets, posing a significant threat to cryptocurrency users. Once the sensitive data is obtained, Agniane Stealer transfers it to command-and-control [C&C] servers, where threat actors can exploit the stolen information.
According to the Zscaler ThreatLabz team, Agniane Stealer belongs to the Malware-as-a-Service (MaaS) platform known as Cinoshi Project. This platform was initially discovered in early 2023, and Agniane Stealer shares code infrastructure similarities with it. As a result, Agniane Stealer has been available for sale on various dark web forums.
To ensure its functionality and evasion capabilities remain up to date, the threat actors behind Agniane Stealer utilize packers to maintain and regularly update the malware. This allows them to bypass detection and analysis by security systems and researchers.
– Agniane Stealer is an information stealer that targets stored credentials from various web browsers, including Telegram sessions, Discord tokens, Steam, WinSCP, and Filezilla sessions. It also captures screenshots of the user’s desktop, collects OpenVPN profiles, and gathers system information.
– Agniane Stealer is particularly focused on stealing cryptocurrency data, with support for over 70 crypto extensions and 10 crypto wallets.
– The malware employs various evasion techniques to detect and avoid anti-analysis software, such as malware sandboxes, emulators, VirtualBox, and other analysis tools.
– Agniane Stealer is part of the Cinoshi Project MaaS platform, which offers its services and subscriptions on the dark web.
During the investigation, the Zscaler ThreatLabz team discovered a Telegram channel that promotes and sells Agniane Stealer. The channel is owned by an individual who consistently posts about the features, updates, and pricing of the malware. It is believed that this individual is the author of Agniane Stealer.
The Agniane Stealer user interface, accessed through the dark web, offers several tabs that allow threat actors to customize their use of the malware. The Builder tab provides information on building custom variants of Agniane Stealer. The Home tab displays instructions and the gate server’s status. The Logs tab presents a list of victim logs, including passwords, wallets, and cookies. The Settings tab allows threat actors to configure various aspects of the malware’s behavior, including disabling logs and preventing analysis by anti-analysis tools. The Parsers tab provides options to parse victim logs, with features like using Discord tokens or login passes.
In terms of technical analysis, Agniane Stealer is written in C# and utilizes anti-analysis techniques to avoid detection. It checks for the presence of a debugger and exits if one is detected. The malware also measures tick counts to identify if it is running in an emulator or analysis tool. Agniane Stealer further determines the geolocation of the victim’s machine and terminates execution if it belongs to a hosting provider to avoid detection. To obscure its identity, the malware utilizes legitimate DLL handles.
With the discovery of Agniane Stealer, cryptocurrency users and individuals storing sensitive information on their browsers or file transferring tools should exercise caution and implement strong security measures to protect their data.