Cybersecurity researchers at Cyble Research Labs have released a report regarding a C# .NET-based information stealer developed by the Saint gang. The activities of Saintstealer can be traced back as far as November 2021. The malware has multiple functionalities to steal credentials and system information from infected hosts.
After execution, the stealer extracts username, passwords, credit card details, etc. The stealer also steals data from various locations across the system and compresses it in a password-protected zip file. Once these files are compressed, the stealer exfiltrates the data to a Telegram channel. The metadata related to the exfiltrated information is sent to a Command and Control (C&C) server: hxxp://f0591243.xsph[.]ru. The IP associated with the domain is linked to multiple stealer families such as Nixscare stealer, BloodyStealer, QuasarRAT, Predator stealer, and EchelonStealer.
The malware has many analysis evasion techniques. Once the malware determines the infected host is a worthy target, it will begin running information stealing operations. Some information targeted by the malware includes Discord Tokens, Desktop Files, Chromium Passwords, Chromium AutoFills, Chromium, Cookies, Chromium Credit Cards, NordVPN Accounts details, OpenVPN data, ProtonVPN data, Steam data, Vime details, Telegram details, as well as information about the system’s hardware and environment details.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.