A new strain of information-stealing malware, dubbed FleshStealer, has emerged as a significant threat to internet users worldwide.
This advanced infostealer targets Chromium and Mozilla-based web browsers, exploiting their vulnerabilities to steal sensitive data, including credentials, cryptocurrency wallet information, and two-factor authentication (2FA) codes.
First detected in September 2024, FleshStealer is written in C# and operates through a web-based control panel.
.webp)
It employs sophisticated evasion techniques, such as encryption and virtualization detection, to avoid detection by traditional security tools.
The malware is lightweight, ranging between 150 to 300 kilobytes, enabling it to operate stealthily on infected systems.
FleshStealer focuses on extracting data from over 70 browser-based cryptocurrency extensions and 2FA plugins.
It also harvests Discord tokens and resets Google cookies, allowing attackers to maintain persistent access to user accounts.
Cybersecurity experts at FlashPoint noted that by targeting browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera, it prioritizes high-value data such as login credentials, session tokens, and browsing history.
.webp)
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
Tactics, Techniques, and Procedures (TTPs)
FleshStealer employs several advanced tactics to achieve its objectives:-
- Privilege Escalation (T1547): The malware exploits trusted Windows utilities to bypass User Account Control (UAC) and gain administrative privileges. This involves modifying registry keys to execute malicious scripts under elevated permissions.
- Defense Evasion (T1027 & T1497): FleshStealer uses obfuscated strings and registry operations to mask its activities. It also detects virtualized environments or debugging tools, halting its operations if such conditions are identified.
- Process Discovery (T1057): The malware identifies active browser processes that store sensitive user data. This targeted approach ensures efficient data collection while minimizing resource usage.
- Data Collection and Exfiltration (T1560 & T1567): FleshStealer scans for high-value files like authentication caches and compresses them into encrypted archives for exfiltration via secure web services. This reduces its network footprint and avoids triggering security alerts.
The consequences of a FleshStealer infection can be severe. By stealing credentials and bypassing 2FA protections, the malware enables attackers to gain unauthorized access to email accounts, financial platforms, and cryptocurrency wallets.
.webp)
The restoration of deleted Google cookies further allows attackers to monitor user activity or hijack sessions.
Additionally, the theft of Discord tokens compromises private communications and opens avenues for further attacks on the victim’s contacts.
To defend against FleshStealer, it is essential to use updated security tools, such as reputable antivirus software capable of detecting advanced threats.
Enabling app-bound encryption, like the features introduced in Chrome 127, can restrict data access to the originating application.
Avoiding suspicious downloads and refraining from clicking links from untrusted sources also helps reduce risk.
Keeping operating systems and browsers updated with the latest security patches is crucial, along with monitoring network activity to detect unusual connections to command-and-control servers.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request
