A new malware-as-a-service (MaaS) operation named SantaStealer is being marketed on cybercrime forums, promoted for its ability to run in memory to evade file-based detection. However, security researchers at Rapid7 indicate the malware is a rebranded version of the older BluelineStealer and is not yet as sophisticated as advertised. The Russian-speaking developer offers subscriptions for $175 and $300 per month, with a planned full launch before the end of the year.
Analysis of leaked samples reveals that SantaStealer is far from undetectable and contains unencrypted strings, suggesting poor operational security. Its configurable control panel allows customers to tailor builds for specific data theft, using 14 distinct modules to steal information from browsers, cryptocurrency wallets, and applications like Telegram and Discord. The stolen data is compressed and exfiltrated in chunks to a hardcoded command server.
Despite claims of advanced evasion, the current samples lack sophisticated anti-analysis features. The malware includes functionality to bypass recent Chrome encryption protections and can be configured to avoid systems in certain geographic regions. While its exact distribution method is unclear, typical vectors like ClickFix social engineering, phishing, and pirated software are likely. Users are advised to exercise caution with email attachments and avoid executing unverified code from untrusted sources.
Read more...