New SantaStealer malware steals data from browsers, crypto wallets

A new malware-as-a-service (MaaS) known as SantaStealer is making waves in the cybersecurity community, advertised on platforms like Telegram and hacker forums. This information stealer is designed to operate in memory, aiming to evade traditional file-based detection methods.

Security researchers at Rapid7 have identified SantaStealer as a rebranding of a previous project called BluelineStealer. The developer, believed to be Russian-speaking, is actively promoting the malware with subscription options priced at $175 per month for a Basic plan and $300 per month for a Premium plan. Despite its claims, Rapid7’s analysis suggests that SantaStealer does not yet live up to its advertised capabilities of evading detection and analysis.

Rapid7’s investigation into SantaStealer revealed several samples and access to the affiliate web panel, which highlighted the malware’s multiple data-theft mechanisms. However, the researchers noted that the samples were neither undetectable nor difficult to analyze.

The presence of symbol names and unencrypted strings in the leaked samples indicates a lack of operational security by the threat actors, potentially undermining their efforts. The web panel allows users to configure their builds with specific targeting scopes, ranging from comprehensive data theft to more focused payloads. SantaStealer employs 14 distinct data-collection modules, each running in its own thread, to gather information from browsers, Telegram, Discord, Steam, cryptocurrency wallets, and documents. The stolen data is archived into a ZIP file and exfiltrated in 10MB chunks to a hardcoded command-and-control (C2) endpoint via port 6767.

The technical capabilities of SantaStealer include bypassing Chrome’s App-Bound Encryption protections, a feature introduced in July 2024, which has been circumvented by several active info-stealers. The malware also offers configuration options to exclude systems in the Commonwealth of Independent States (CIS) region and delay execution to mislead victims.

Although SantaStealer is not yet fully operational or widely distributed, its potential spread could occur through various methods. Cybercriminals have recently favored ClickFix attacks, where users are deceived into executing harmful commands in their Windows terminal. Other common distribution methods include phishing, pirated software, torrent downloads, malvertising, and misleading YouTube comments.

To mitigate the risks associated with SantaStealer, Rapid7 advises users to exercise caution with unfamiliar email links and attachments. Additionally, they warn against running unverified code from public repositories, particularly for browser extensions. As the threat landscape continues to evolve, staying informed and vigilant is crucial for security professionals to protect their systems and data from emerging threats like SantaStealer.

To read the complete article see: Bleeping Computer.