www.darkreading.com
Open in
urlscan Pro
2606:4700::6812:6b2f
Public Scan
URL:
https://www.darkreading.com/threat-intelligence/cybercriminals-team-up-upgrade-sapphirestealer-malware
Submission: On September 01 via api from TR — Scanned from DE
Submission: On September 01 via api from TR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* Black Hat Middle East and Africa - Nov14-16 - Learn More
* Black Hat Japan Trainings - Nov 13-14 - Learn More
Webinars
* The Threat Hunter's Playbook: Mastering Cloud Defense Strategies
Sep 13, 2023
* Managing Security In a Hybrid Cloud Environment
Sep 14, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Reports >
Webinars >
White Papers >
Slideshows >
Newsletters >
Events >
Partner Perspectives: Microsoft
Partner Perspectives: Google Cloud
Newsletter Sign-Up
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* Black Hat Middle East and Africa - Nov14-16 - Learn More
* Black Hat Japan Trainings - Nov 13-14 - Learn More
Webinars
* The Threat Hunter's Playbook: Mastering Cloud Defense Strategies
Sep 13, 2023
* Managing Security In a Hybrid Cloud Environment
Sep 14, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Reports >
Webinars >
White Papers >
Slideshows >
Newsletters >
Events >
Partner Perspectives: Microsoft
Partner Perspectives: Google Cloud
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* Black Hat Middle East and Africa - Nov14-16 - Learn More
* Black Hat Japan Trainings - Nov 13-14 - Learn More
Webinars
* The Threat Hunter's Playbook: Mastering Cloud Defense Strategies
Sep 13, 2023
* Managing Security In a Hybrid Cloud Environment
Sep 14, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Reports >
Webinars >
White Papers >
Slideshows >
Newsletters >
Events >
Partner Perspectives: Microsoft
Partner Perspectives: Google Cloud
--------------------------------------------------------------------------------
Newsletter Sign-Up
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.
Announcements
1.
2.
Event
Tips for A Streamlined Transition to Zero Trust | Sept 28 LIVE Webinar <REGISTER
NOW>
Event
The Evolution of the Vulnerability Landscape in 2023 | Sept 27 LIVE Webinar
<REGISTER NOW>
PreviousNext
Threat Intelligence
3 MIN READ
News
CYBERCRIMINALS TEAM UP TO UPGRADE 'SAPPHIRESTEALER' MALWARE
A hacker published a real gem of an infostealer to GitHub that requires zero
coding knowledge to use. Then a community sprung up around it, polishing the
code to a high shine and creating new, even more robust features.
Nate Nelson
Contributing Writer, Dark Reading
August 31, 2023
Source: Levon Avagyan via Alamy Stock Photo
PDF
Cybercriminals are mining the capabilities of an open source infostealer called
"SapphireStealer," developing a legion of variants that are helping to
democratize the cybercrime landscape when it comes to carrying out
data-theft attacks.
Ever since a Russian-language hacker named Roman Maslov first published it onto
the public Web late last year, hackers have been adopting SapphireStealer,
tinkering with it, and releasing new versions into public repositories. It has
created a reinforcing feedback loop where the malware keeps getting stronger,
and more attackers are being drawn to it, potentially leading to more dangerous
consequences downstream.
"You've got a large group of threat actors that are interested in stealing
credentials, access tokens, username, passwords," says Edmund Brumaghin, threat
researcher for Cisco Talos, who on Aug. 31 published a blog post about
SapphireStealer and its many contributors. "Then they're monetizing that data,
which can lead to higher-impact types of attacks."
WHAT IS SAPPHIRESTEALER?
On Christmas Day, 2022, children across the world ran downstairs to open up
presents from Santa. Partners opened gifts from their significant others. And on
GitHub, cybercriminals were treated to a present of their own: "A simple stiller
[sic] with sending logs to your EMAIL," courtesy of r3vengerx0 (Maslov).
The "stiller" (stealer) was written in .NET, and free for anyone to download.
Simple but effective, it gave even non-technical hackers the ability to grab
files in most popular formats — .pdf, .doc, .jpg, etc. — as well as screenshots,
and credentials from Chromium browsers like Google Chrome, Microsoft Edge, and
Yandex. It simply packaged this information into an email, and sent it back to
adversaries along with various information about the targeted machine: IP
address, OS version, and so on. Finally, post-exfiltration, SapphireStealer
deletes evidence of its activity and terminates.
This was all well and good but, like r3vengerx0's GitHub listing, there were
kinks to work out. "There was some superfluous code execution flow taking place
— superfluous instructions that weren't exactly what you would expect from an
efficient codebase. There were also some typographical errors in certain points
in the code," Brumaghin explains.
That began to change, starting around mid-January.
HOW SAPPHIRESTEALER EVOLVED
Soon after the holidays, new variants of SapphireStealer started to emerge,
which cleaned up (if not significantly refactored) the code, and improved on its
core functionality. Some variants, for example, extended the list of file
formats SapphireStealer could draw from.
Another variant replaced the email function with the Discord webhook API.
Several others popped up with the ability to alert attackers to new infections
by transmitting log data via a Telegram API.
Through the first half of 2023, SapphireStealer became more robust,
multifaceted, and dangerous but also more accessible. "The barrier to entry for
getting into information stealing continues to decrease with the introduction of
open source stealers like SapphireStealer. You don't need to know how to code.
You don't need to know operational security or anything like that," Brumaghin
says.
As SapphireStealer grows and spreads, it could easily enable more serious
attacks for larger enterprises.
"An organization might not treat an information stealer threat at the same level
as another threat like, let's say, ransomware," Brumaghin explains. "But they're
often a precursor to things like ransomware and espionage, because an adversary
will obtain credentials with an information stealer and then monetize those by
selling them to other threat actors that can then use that access to conduct
post-compromise activities, working towards some of their longer-term mission
objectives."
He concludes: "Organizations need to be aware of that relationship. These
threats in a lot of ways are becoming more interlinked, as the cybercrime
economy continues to mature and grow."
Vulnerabilities/Threats
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe
More Insights
White Papers
*
Causes and Consequences of IT and OT Convergence
*
Essential SASE Must-haves
More White Papers
Webinars
*
The Threat Hunter's Playbook: Mastering Cloud Defense Strategies
*
Managing Security In a Hybrid Cloud Environment
More Webinars
Reports
*
What Ransomware Groups Look for in Enterprise Victims
*
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
More Reports
Editors' Choice
Rackspace Faces Massive Cleanup Costs After Ransomware Attack
Dark Reading Staff, Dark Reading
5 Ways to Prepare for Google's 90-Day TLS Certificate Expiration
Murali Palanisamy, Chief Solutions Officer, AppViewX
MOVEit Breach Shows Us SQL Injections Are Still Our Achilles' Heel
Omkhar Arasaratnam, General Manager, Open Source Security Foundation (OpenSSF)
6 Ways AI Can Revolutionize Digital Forensics
Shashidhar Angadi, Chief Technology Officer, Exterro
Webinars
* The Threat Hunter's Playbook: Mastering Cloud Defense Strategies
* Managing Security In a Hybrid Cloud Environment
* How Businesses Can Counterpunch against Generative AI-Powered Ransomware
* Preventing Attackers From Navigating Your Enterprise Systems
* Passwords Are Passe: Next Gen Authentication for Today's Threats
More Webinars
Reports
* What Ransomware Groups Look for in Enterprise Victims
* Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
* Everything You Need to Know About DNS Attacks
* How Enterprises Are Managing Application Security Risks in a Heightened
Threat Environment
* Successfully Managing Identity in Modern Cloud and Hybrid Environments
More Reports
White Papers
* Causes and Consequences of IT and OT Convergence
* Essential SASE Must-haves
* The Ultimate Guide to the CISSP
* Cybersecurity in 2023 and beyond: 12 leaders share their forecasts
* Know your customer: Enable a 360-degree view with customer identity & access
management
More White Papers
Events
* Black Hat Middle East and Africa - Nov14-16 - Learn More
* Black Hat Japan Trainings - Nov 13-14 - Learn More
* SecTor - Canada's IT Security Conference Oct 23-26 - Learn More
More Events
More Insights
White Papers
*
Causes and Consequences of IT and OT Convergence
*
Essential SASE Must-haves
More White Papers
Webinars
*
The Threat Hunter's Playbook: Mastering Cloud Defense Strategies
*
Managing Security In a Hybrid Cloud Environment
More Webinars
Reports
*
What Ransomware Groups Look for in Enterprise Victims
*
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
More Reports
DISCOVER MORE FROM INFORMA TECH
* Interop
* InformationWeek
* Network Computing
* ITPro Today
* Data Center Knowledge
* Black Hat
* Omdia
WORKING WITH US
* About Us
* Advertise
* Reprints
FOLLOW DARK READING ON SOCIAL
*
*
*
*
*
*
* Home
* Cookies
* Privacy
* Terms
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.
Cookies Button
ABOUT COOKIES ON THIS SITE
We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy
Accept All
Settings
COOKIE PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Confirm My Choices