Saintstealer Malware

Security researchers recently detailed a new malicious payload. The malware in question is an infostealer with rich functionality that was codenamed Saintstealer.

Saintstealer can scrape and exfiltrate both system information and assorted credentials data. Distributed under the filename "saintgang.exe", Saintstealer is compiled as a 32-bit executable that uses the .NET framework. As can be expected, the malware has built-in anti-virtualization measures so that it can avoid honeypots and researcher testbeds.

The infostealer goes beyond what most similar malware can do. Saintstealer can grab form autofill data from Chrome and Edge, and steal cookies and passwords. It can also intercept Discord multi-factor authentication tokens and steal information from installed instances of Telegram and a number of popular VPN applications. The malware can also collect plain text and MS Word documents.

Once data collection is complete, Saintstealer zips everything up in a single archive file, puts a password on it, and sends it to the malware operators. In addition to this, the metadata recorded during the collection and exfiltration process is passed to the malware's command and control server.

The IP address that Saintstealer uses as its server infrastructure is the same one used by older infostealer threats such as EchelonStealer and QuasarRAT.

Saintstealer is sold as a subscription service, for $100 per month. A one-time purchase lifetime "license" to the malicious tool is also offered on hacker forums for the sum of $900.

Infostealers may seem like a relatively low-threat malware but in reality, depending on the nature of the information stolen, they can cause significant damage to both organizations and commercial entities and home users.

May 11, 2022