Akira Stealer Evades Detection

Akira, an information-stealing malware discovered in early 2023, has the capability to pilfer sensitive data like saved login details, payment card information, usernames, system identification, hardware specifics, installed software, and network configurations. After extracting this data, it uploads it to 'GoFile,' an online storage service, and Discord messaging accounts controlled by the threat actor. As reported exclusively to Cyber Security News, Akira Stealer employs a multi-tiered infection process for concealing its code and evading detection.

The threat actor also offers services through Telegram, a C2 server, and GitHub. Additionally, they assert that this malware is "Fully Undetectable" (FUD). Their Telegram channel, "Akira," currently boasts 358 subscribers. Furthermore, the threat actor provides a Malware-as-a-Service domain at "https[:]//akira[.]red/."

Akira Comes Inside a CMD Script

For analysis purposes, researchers obtained a sample file named "3989X_NORD_VPN_PREMIUM_HITS.txt.cmd." This file was a CMD script with hidden, obfuscated code. Notably, as claimed by the threat actor, this file goes unnoticed by VirusTotal. When executed, it drops a concealed.bat batch file into the current directory, which is also impervious to detection. This file contains an obfuscated PowerShell script that integrates the batch file with the tmp.vbs file for execution via the csscript.exe process.

Regarding information theft, the malware establishes a folder named after the compromised PC to store the pilfered data. Subsequently, it commences the theft of information from various web browsers, including Microsoft Edge, Google Chrome, Opera, Mozilla Firefox, and 14 other browsers. Moreover, the malware is proficient at targeting financial data, encompassing saved credit card details and login credentials, collecting bookmarks and wallet extension data, capturing screenshots, and more.

How Can Malware Evade Detection?

Malware can employ various techniques to evade detection by security software and evade the scrutiny of cybersecurity experts. Some of these evasion tactics include:

• Polymorphic Code: Malware can use polymorphic code to change its appearance each time it infects a new system. This makes it difficult for signature-based antivirus software to identify and block it because the malware's code is constantly changing.
• Metamorphic Code: Similar to polymorphic code, metamorphic code completely rewrites itself with each infection, making it even more challenging to detect.
• Rootkit Techniques: Malware can use rootkit techniques to hide its presence on a system. Rootkits manipulate the operating system to conceal the malware's files, processes, and registry entries.
• Encryption and Encoding: Malware can encrypt or encode its code to make it unreadable to security software. It only decrypts or decodes its payload once it's safely inside the target system, making it hard to detect before execution.
• Stealthy Loading: Malware may use techniques to load itself into memory without writing to disk, making it less likely to be detected by file-based security scans.
• Dynamic Linking: Some malware uses dynamic linking, which means it only loads the necessary libraries when it's executed, reducing the number of suspicious files or functions that can be detected.
• Anti-Analysis Techniques: Malware can detect when it's running in a sandbox or virtual environment and behave benignly in those situations, making it harder for researchers to analyze its behavior.
• Code Obfuscation: Malware authors can intentionally obscure their code, making it challenging for security analysts to understand the malware's logic and functionality.
• Fileless Malware: Some malware operates entirely in memory and doesn't leave a trace on the file system, which can evade signature-based detection methods.