Open-source data stealers are rapidly gaining popularity due to their versatility, giving threat actors useful reconnaissance tools for malicious objectives.
Open-source data stealers can be stealthy if designed and configured effectively, making them difficult to detect.
It can be difficult for security systems to detect their harmful actions since they frequently operate quietly, rely on legitimate operations, and mix in with regular network traffic.
Cybersecurity researchers at Cyble Research and Intelligence (CRIL) discovered the ‘Exela-V2.0-main.rar’ zip file on September 14th, revealing a new ‘Exela’ stealer.
On August 17th, 2023, the source code was traced to a GitHub repository, and researcher Yogesh Londhe initially noticed it.
Exela Stealer Attacking Discord Users
Using Discord webhook URLs, the Python utility Exela Stealer secretly collects private information, arousing interest in thoroughly analyzing its workings and effects.
The builder runs on Python 3.10.0 or 3.11.0 and creates the stealer per the threat actor’s preferences.
Here below we have mentioned features:-
- Discord Injection
- Fake Error Message
The stealer checks for an existing mutex named ‘Exela | Stealer | on | Top.’ If found, it stops and prints ‘mutex already exists.’ Otherwise, it proceeds with data theft, using a fake error message as a diversion.
The stealer checks for debugging or virtualization by gathering UUID and computer name, then compares them to a hardcoded list, terminating if there’s a match.
Apart from this, a diverse range of methods was employed by the stealer to do the following things:-
- Detect virtual environments
- Examine files
- Examine strings
- Examine processes
- Loading modules linked to virtualization platforms
Anti VM Functions
Here below we have mentioned all the Anti VM functions that are used:-
Exela Stealer attains persistence by hiding itself in ‘C:\appdata\local\ExelaUpdateService’ as ‘Exela.exe’ with hidden and system attributes.
After copying, the stealer creates startup entry as chosen by the user, using Windows Registry (regedit) or Task Scheduler (schtasks) for persistence.
The stealer modifies Discord client files to enable unauthorized access and data collection, after which it replaces the code with custom injections from a GitHub repository and sends data to the attacker’s webhook URL.
Moreover, it targets the following types of web browsers:-
- Chromium-based browsers
- Firefox Browser
The stealer saves the harvested data in a unique folder, assembles a detailed report message with custom elements, sends it via Discord webhook, and then deletes the ZIP file and temporary directory.
Here below we have mentioned all the recommendations:-
- Make sure always to download software from reputable sources to avoid risks.
- To block data exfiltration, always keep monitoring the network communication.
- Always use a robust security system and AV tool.
- Ensure to keep your system and installed software updated with the latest updates and security patches.