Hackers Advertising GlorySprout Stealer On Popular Hacking Forums

Hackers use stealers to gather sensitive information, for example, login credentials, financial data, or personal details from victims’ devices.

These stolen credentials can be employed in countless nefarious acts such as identity theft, financial fraud, or account hacking.

RussianPanda recently discovered that hackers are actively advertising GlorySprout Stealer on popular hacking forums.

GlorySprout Steal On Popular Hacking Forums

In March 2024, someone by the name of GlorySprout emerged in the XSS forum with its new stealer which presumably was most likely created by a vegetarian seller.

It is valued at $300 and comes with a twenty-day crypting service. The C++ stealer has features like a loader, Anti-CIS execution, and a non-working Grabber module.

This does not imply that they have been observed to be having any keylogging or anti-vm capabilities. It supports log backup and banning specific countries/IPs.

Taurus Stealer has an anonymous informant who mentioned that he shared some relevant files related to the GlorSprout clone, making it an interesting case for analysis.

GlorySprout employs API hashing to dynamically resolve APIs from libraries like shell32.dll, user32.dll, and others, using operations like multiplication, addition, XOR, and shifting. 

It obfuscates strings via XOR and arithmetic substitution. Persistence is achieved through a scheduled task named “\WindowsDefender\Updater” that runs the dropped payload from %TEMP%. 

If using a loader module, an 8-character payload name is randomly generated from a predefined string using a function also used for generating filenames for C2 communication and the RC4 key for zipping collected data. 

However, this function doesn’t always generate truly random strings. The C2 address is retrieved from the decrypted payload’s resource section.

RussianPanda said GlorySprout communicates with the C2 server through port 80 by sending a POST request “/cfg/data=” with a hardcoded user-agent string.

The BotID is encrypted using RC4 and generated from a key created using an invariable function (0xC40DF552). Hence, despite allegations of randomization, the same value of “IDaJhCHdIlfHcldJ” is used for the first check-ins. 

On receiving configuration, the infected machine packs the gathered data into ZIP archives and sends them via POST “/log/”, gets 200 OK response, and finally terminates communication by sending POST “/loader/complete/?data=1”.

The RC4 key to encrypt the ZIP consists of the first 10 bytes from the encrypted BotID string.

It is certain in this analysis that GlorySprout is a modified version of Taurus Stealer.

Outpost24, for example, analyzed a sample of the Taurus Stealer, which had some notable variations from the current GlorySprout. 

As observed by Outpost24, GlorySprout does not have the ability to download any other DLL dependencies from C2 servers and lacks anti-VM capabilities as opposed to Taurus Stealer.

In view of these missing features compared to other stealers currently on sale, it can be predicted that GlorySprout will hardly become popular among potential users.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.