Cybercriminals Released Mini Stealer's Builder & Panel for Free on a Cybercrime Forum

A threat actor has recently released MiniStealer’s builder and panel for free on a cybercrime forum. Cyble Research and Intelligence Labs (CRIL) security analysts discovered this exploit during a routine threat hunting exercise carried out recently.

Threat actors can easily create malicious payloads using such builders, which can make them easy for them to generate. There is a lot of stuff that MiniStealer targets, but it mostly targets FTP applications and browsers that are based on Chromium.

Threat actors claim that their stealer can target different OS, including the following:- 

  • Windows 7
  • Windows 10
  • Windows 11
EHA

The same threat actor made a post sometime after the release of MiniStealer, where he sold the builder and panel for Parrot Stealer for the price of USD 50.

As stated in the report by the threat actor, this stealer is a modified version of MiniStealer. It is possible that the threat actor had added functionality in Parrot stealer that wasn’t present in MiniStealer.

Technical Analysis

The threat actor has leaked two folders from the zip file it has leaked. Here is a list of the files that are contained inside these folders:-

  • Builder: MiniStealerBuilder.exe, Stub
  • Panel: Web Panel Source code

Threat actor released a binary builder that was based on the .NET framework. In order to make the payload more powerful, it has the ability to include the details of C&C in it. 

The actual payload for the builder is located in a file called “stub” that is actually placed in the builder’s build folder. The C&C details are then written to the payload once this is completed so that the final payload can be created.

Test Reports are sent to the C&C server when the Test Button is clicked, in order to determine if the connection can be established with the server. There are three strings that are present in these logs:-

  • TestUser
  • TestPass
  • TestHost

The Mini Stealer application is a 64-bit .NET binary that incorporates Timestomping. Timestomping refers to the process of altering the timestamps of files.

In order to deflect unnecessary attention from forensic investigations, adversaries employ this technique when delivering their payloads.

Recommendations

Here below we have mentioned all the recommendations:-

  • The use of warez and torrent websites is not recommended as a source for downloading pirated software.
  • Ensure that your passwords are strong at all times.
  • Whenever possible, ensure that multi-factor authentication is enforced.   
  • Activate the auto-update feature that automatically updates your device or system software.
  • Make sure you use an anti-virus program that is reputed.
  • Whenever you receive an email that contains an attachment or a link that you are unsure of, do not open it.
  • Employers should be educated on how to protect themselves against malicious activity such as phishing or untrusted URLs, such as spam emails.  
  • In order to prevent malicious URLs from being used to spread malware, you should block them.
  • It is important to keep an eye on the beacons at the network level to identify malware and threat actors that may try to steal data from them.

Secure Azure AD Conditional Access – Download Free White Paper

Posted by Charlie