Rewterz Threat Alert – Emergence of ExelaStealer: A Cost-Effective Cyber Threat – Active IOCs

Severity

Medium

Analysis Summary

ExelaStealer, a new information stealer, is the newest player in a crowded field of pre-made malware that targets vulnerable Windows PCs in order to get confidential information.

“ExelaStealer as a largely open-source infostealer with paid customizations available from the threat actor”, mentioned in the report

It is capable of stealing passwords, credit card numbers, cookies and session data, keystrokes, screenshots, and clipboard contents. It is written in Python and has support for JavaScript.

ExelaStealer is for sale on forums dedicated to cybercrime and on a dedicated Telegram channel that its administrators, quicaxd, have set up. The premium version can be purchased at a rate of $20 per month, $45 for a three-month subscription, or a one-time payment of $120 for a lifetime license.

The affordability of commodity malware makes it an ideal hacking tool for beginners, significantly reducing the entry barriers for carrying out malicious activities.

Currently, the stealer binaries can only be packed and compiled on a Windows-based machine with the help of a building Python script. To thwart examination, the script obfuscates relevant source code.

ExelaStealer appears to be transmitted using an executable that impersonates a PDF document, according to available information. This suggests that phishing or watering holes might be the initial infiltration vector.

“Data has become a valuable currency, and because of this, attempts to gather it will likely never cease. InfoStealer malware exfiltrates data belonging to corporations and individuals that can be used for blackmail, espionage, or ransom. Despite the number of infostealers in the wild, ExelaStealer shows there is still room for new players to emerge and gain traction”, they conclude.

The identification of yet another info-stealing threat underscores the continued potential for new threat actors to emerge and establish a foothold. Additionally, this info-stealer presents attackers with the means to leverage pilfered data for purposes such as blackmail, espionage, or ransom demands. Given the ongoing prevalence of this threat, organizations are advised to fortify their essential assets and infrastructure with robust security measures.

Impact

• Sensitive Information Theft
• Unauthorized Access

Indicators of Compromise

MD5

• a774e1965dea429e097e4a3e1bef0943
• 5429328937ed51076df9f8c4e5edc93a
• 5c7805f87a6e396231a360a4f350378f
• 8b594b44addb55ebac34806dd0935181

SHA-256

• f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048
• 95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51
• 34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0
• c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44

SHA-1

• 9895a3def0ccefd717ee85befb7c3b314191b0bf
• d5cca10a28fd3be2093e6c3a260515cb085f5e10
• 05540875a7a44d5fd9688a9d33b6c36b3d4cd611
• f0851f29d60447690cd19ac3200d521669ad941b

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement network monitoring and intrusion detection systems to detect anomalous network activity or unauthorized access.
• Restrict the execution of applications to only those that are explicitly allowed. This can help prevent the execution of unauthorized or malicious programs.
• Implement the principle of least privilege (PoLP) to restrict user and application permissions to only what is necessary for their tasks.
• Regularly back up critical data and systems. Ensure that backups are stored securely and can be restored in the event of a data breach.
• Develop and maintain an incident response plan that outlines the steps to take when a security incident is detected.
• Continuously educate employees and users about security best practices and the evolving threat landscape.
• Conduct regular penetration testing to identify vulnerabilities in your systems and networks, allowing you to proactively address potential weaknesses.