Stealit, a new malware campaign specializing in stealing crypto wallet files. It abuses the Node.js Single Executable Application (SEA) feature to do that to carry its malicious payloads. America’s leading cybersecurity experts and advocates are sounding alarms over this short-sighted campaign. Its innovative techniques bypass user systems without requiring a pre-existing Node.js runtime.
Stealit operates through three main executables: save_data.exe, game_cache.exe, and another unspecified executable. All these components are critically important for the malware’s operations and persistence on infected devices. The campaign indicates a sophisticated approach to cybercrime, targeting users through seemingly benign applications, such as game and VPN installers.
Mechanism of Action
The Stealit malware stands out here mostly for its impressive reliance on elevated privileges. In fact, the executable save_data.exe will be downloaded and executed only after the malware has obtained these elevated permissions. This last file is responsible for validating the malware’s ability to connect to a command-and-control (C2) server.
Once authenticated, users are able to sign directly into their personal dashboard if they are a subscriber to the Stealit service. From there, they can remotely monitor and deactivate affected systems. The second layer of authentication creates a unique 12-character alphanumeric key as an identifier. This key is then saved in cache.json file within %temp% folder on the victim’s machine.
“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed.” – Fortinet
Persistence and Functionality
The second executable, game_cache.exe, improves the malware’s persistence on infected systems, making sure it starts when the system reboots. This executable drops a Visual Basic script that facilitates a number of malicious actions. Game_cache.exe can connect to the C2 server and stream a victim’s screen in real-time. It can even run arbitrary commands, download files, upload files, and set the desktop wallpaper.
This wide array of capabilities highlights just how dangerous Stealit can be. Cybercriminals abuse these features to maintain persistent access to compromised systems. This is what makes it absolutely impossible for victims to be able to detect or remove the malware.
Subscription Model and Pricing
Stealit provides multiple subscription tiers for users who want its “professional data extraction solutions.” You could purchase a one-week subscription for this Windows Stealer for as little as $29.99. If you want a lifetime license, it’ll cost you a jaw-dropping $499.99. This pricing model is an alarming sign of a business-like approach to cybercrime, where cybercriminals have numerous means to monetize their malicious activities.
“Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies.” – Eduardo Altares and Joie Salvio