SapphireStealer is an open-source information-stealing virus that is used by numerous organizations to enhance its features and create customized variants. Edmund Brumaghin, a researcher at Cisco Talos, claims that information-stealing malware like SapphireStealer can be used to obtain private information, such as corporate credentials, which are commonly sold to other threat actors. These actors then use the gained access to launch other operations, such as ransomware assaults, extortion-related activities, or espionage.
A full ecosystem has developed over time that allows nation-state actors and financially motivated hackers to use the services offered by malware stealer vendors for a variety of assaults. Because they make ransomware distribution, data theft, and other harmful cyber operations easier, these types of malware represent not only a development of the cybercrime-as-a-service (CaaS) model. They also present potential for other threat actors to profit from the stolen data.
SapphireStealer is comparable to other stealer malware that is frequently seen on the dark web. It has the ability to gather host information, browser data, files, and screenshots. The extracted data is sent as a ZIP file using the Simple Mail Transfer Protocol (SMTP), and the screenshots are stored in a database.
SapphireStealer stands out, though, because its source code will be made available for free in late December 2022. This has made it easier for criminal actors to experiment with the malware, making detection more difficult. The inclusion of flexible data exfiltration techniques such as using a Discord webhook or the Telegram API is noteworthy as a result of these tests.
Multiple variations of this danger are already present in the wild, and threat actors are continuously enhancing its efficacy and efficiency, according to Brumaghin. FUD-Loader, a.NET malware downloader created by the malware author, enables the extraction of additional binary payloads from attacker-controlled servers.
Researchers from Talos have found instances of this malware downloader being used to disseminate remote administration tools including DCRat, njRAT, DarkComet, and Agent Tesla in real-world settings.