A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection.
According to security researchers at Rapid7, the operation is a rebranding of a project called BluelineStealer, and the developer is ramping up the operation ahead of a planned launch before the end of the year.
SantaStealer appears to be the project of a Russian-speaking developer and is promoted for a Basic, $175/month subscription, and a Premium for $300/month.
SantaStealer ad
Source: Rapid7
Rapid7 analyzed several SantaStealer samples and obtained access to the affiliate web panel, which revealed that the malware comes with multiple data-theft mechanisms but does not rise to the advertised feature for evading detection and analysis.
"The samples we have seen until now are far from undetectable, or in any way difficult to analyze," Rapid7 researchers say in a report today.
"While it is possible that the threat actor behind SantaStealer is still developing some of the mentioned anti-analysis or anti-AV techniques, having samples leaked before the malware is ready for production use - complete with symbol names and unencrypted strings - is a clumsy mistake likely thwarting much of the effort put into its development and hinting at poor operational security of the threat actor(s)," Rapid7 says.
The panel features a user-friendly design where 'customers' can configure their builds with specific targeting scopes, ranging from full-scale data theft to lean payloads that only go after specific data.
Builder configuration options on the panel
... continue reading