SapphireStealer Sold for $50 Per Month on the Dark Web

A malware known as SapphireStealer, built on the open-source .NET framework, is being utilized by various groups to enhance its functionality and create customized versions for their specific needs.

According to a report from Cisco Talos researcher Edmund Brumaghin, information-stealing malware like SapphireStealer is capable of acquiring sensitive data, such as corporate credentials. This stolen information is often sold to other malicious actors who then exploit it for additional cyberattacks, including activities related to espionage, ransomware, or extortion.

SapphireStealer Used as Stepping Stone for Ransomware Attacks

Over time, a comprehensive ecosystem has emerged that allows both financially motivated cybercriminals and nation-state actors to leverage the services provided by malware creators to execute a wide range of cyberattacks. Consequently, such malware not only signifies an evolution of the cybercrime-as-a-service (CaaS) model but also provides opportunities for other threat actors to profit from the stolen data through ransomware distribution, data theft, and other malicious cyber operations.

SapphireStealer closely resembles other information-stealing malware that have become increasingly prevalent on the dark web. It possesses features for gathering host information, browser data, files, screenshots, and exfiltrating this data in ZIP format through the Simple Mail Transfer Protocol (SMTP).

However, the release of its source code for free in late December 2022 has allowed malicious individuals to experiment with the malware, making it harder to detect. This includes the incorporation of flexible data exfiltration methods using Discord webhook or Telegram API.

According to Brumaghin, multiple variants of this threat are already circulating in the wild, and threat actors continue to refine its efficiency and effectiveness over time.

Furthermore, the malware author has also made public a .NET malware downloader called FUD-Loader, which facilitates the retrieval of additional binary payloads from attacker-controlled distribution servers.

Talos reported detecting the use of this malware downloader in real-world incidents to deliver remote administration tools like DCRat, njRAT, DarkComet, and Agent Tesla.

This disclosure comes shortly after Zscaler shared information about another information-stealing malware named Agniane Stealer. This malware has the capability to steal credentials, system information, browser session details, data from Telegram and Discord, and files transferred via various tools. It can also target data associated with over 70 cryptocurrency extensions and 10 wallets. Agniane Stealer is available for purchase for $50 per month on various dark web forums and a Telegram channel.