A sophisticated new variant of information-stealing malware has been identified in the wild, representing an evolution of the previously documented Sharp Stealer.
The Hannibal Stealer, as researchers have dubbed it, demonstrates advanced evasion capabilities and comprehensive data theft functionality, presenting a significant threat to organizations and individuals alike.
This modular .NET-based malware is designed to harvest sensitive information, including credentials, cryptocurrency wallets, and personal data, while employing multiple layers of obfuscation to avoid detection by security solutions.
Initial analysis reveals that Hannibal Stealer targets a wide range of applications, with specific modules designed to extract credentials from popular browsers, cryptocurrency wallets, and applications such as Steam, Discord, and FileZilla.
The malware maintains active command and control capabilities through Telegram, allowing threat actors to monitor infections and exfiltrate stolen data efficiently.
Technical signatures indicate the malware authors have invested considerable effort in developing evasion techniques that can bypass both signature-based and behavioral detection systems.
The malware’s infection chain begins with an initial payload that employs sophisticated obfuscation, making static analysis challenging.
Once executed, it performs environment checks including geofencing to ensure it doesn’t run in certain regions, particularly former Soviet Union countries – a common tactic among cybercriminal groups to avoid scrutiny from local authorities.
An early stage Malware Analyst and Threat Researcher, Shubho57 noted that the stealer contains its own decryptor, which significantly enhances its ability to operate stealthily.
“This particular sample has got a Decryptor of itself present inside the stealer,” the researcher documented in a detailed analysis published just 21 hours ago.
This self-contained functionality reduces the need for additional components that might trigger security alerts.
The malware’s campaign appears to be actively evolving, with samples demonstrating careful attention to impersonating legitimate processes and system components.
Victims may remain unaware of the infection while the stealer silently harvests sensitive data from various applications installed on the compromised system.
Advanced Obfuscation Techniques
Hannibal Stealer employs multiple layers of obfuscation and anti-analysis features that merit closer examination. A primary technique involves browser impersonation, where the malware disguises itself as legitimate browser components.
.webp)
The malware uses file metadata that closely resembles legitimate CefSharp browser modules, including company name “LLC ‘Windows'” and product name “CefSharp” with version “1.0.1.2”.
The malware leverages several system DLLs for its operations, including bcrypt.dll for cryptographic functions, iphlpapi.dll for network-related activities, and kernel32.dll for core system functions.
This strategic use of legitimate Windows components helps the malware blend with normal system operations.
One particular code segment reveals how the malware uses Windows Cryptography API for AES-GCM decryption:-
public byte[] Decrypt(byte[] key, byte[] iv, byte[] aad, byte[] cipherText, byte[] authTag)
{
IntPtr intPtr = this.OpenAlgorithmProvider(BCrypt.BCRYPT_AES_ALGORITHM,
BCrypt.MS_PRIMITIVE_PROVIDER, BCrypt.BCRYPT_CHAIN_MODE_GCM);
IntPtr hKey;
IntPtr hglobal = this.ImportKey(intPtr, key, out hKey);
// ... decryption operations ...
}The malware also implements geofencing checks to avoid execution in certain countries, providing another layer of protection against analysis by researchers in those regions.
Additionally, it contains clipboard hijacking functionality that monitors for cryptocurrency wallet addresses and silently replaces them with attacker-controlled addresses—a technique that enables financial theft without any additional user interaction required.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
