"The malware is written in Node.js and packaged as an Inno Setup installer. It uses Run registry keys and scheduled tasks to establish persistence, hides its payloads as system and hidden attributes, conducts detailed host reconnaissance, and extracts sensitive information such as credentials, cookies, and cryptocurrency wallet data through reflective DLL injection into browsers to bypass protections like Chrome's AppBound encryption."
"Once executed, the malware hides in a directory named "Microsoft Updater" under %localappdata%\Programs. It creates Run registry keys and a scheduled task to gain persistence before launching updater.exe, its main component. "From this point, the malware conducts extensive system reconnaissance, screen capturing, and credential theft, with a particular focus on web browsers and cryptocurrency wallets," the researchers wrote. The password-decrypting functionality is embedded in infoprocess.exe, written in Go and obfuscated for stealth."
An infostealer campaign spreads the Maranhão Stealer through social engineering websites posing as sources of pirated software, cracked game launchers, and cheats. Malicious installers delivered as DerelictSetup.zip and Fnaf Doom.zip lure victims to execute the payload. The malware is implemented in Node.js, packaged with an Inno Setup installer, and persists via Run registry keys and scheduled tasks while hiding payloads with system and hidden attributes. It performs host reconnaissance, screen capture, and credential theft, targeting web browsers and cryptocurrency wallets. Reflective DLL injection into browsers enables theft of cookies and wallet data and can bypass protections such as Chrome's AppBound. The malware installs under %localappdata%\Programs\Microsoft Updater and uses updater.exe plus an obfuscated Go-based infoprocess.exe for password decryption.
Read at The Cyber Express
Unable to calculate read time
Collection
[
|
...
]