Samstealer Attacking Windows Systems To Steal Sensitive Data

Hackers mainly aim at Windows systems as they are widely adopted and dominate the market, consequently, threat actors will achieve maximum financial gain or theft of data from them compared to other operating systems.

In addition, the presence of numerous entry points due to the complexity of the Windows operating system and the diversity of applications running on it creates various vulnerabilities that can be adopted for explorations. 

Also, the presence of hacking tools and malware that exclusively affect only Windows-based machines is a contributing factor to their popularity among threat actors.

Cybersecurity researchers at CYFIRMA recently detected that Samstealer had been actively attacking Windows systems to steal sensitive data.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Samstealer Attacking Windows Systems

A new .NET malware named “SamsStealer” spreads through Telegram with the aim of stealing sensitive files on Windows. 

It creates a temp folder and then proceeds to steal passwords, cookies, and other information from different browsers such as Chrome, Edge, and cryptocurrency wallets. 

It also focuses on stealing account details about Telegram, Discord, etc., including tokens or wallet content. Cyfirma said the stolen data is saved in a temporary folder and converted into exfiltration files.

Detailed knowledge would enable users to detect evolving info stealer threats by determining its ability for data theft on numerous applications.

Here below we have mentioned cryptocurrency wallets that are targeted:-

• Bitcoin: Located in ‘%appdata%\Bitcoin\wallets’
• Zcash: Located in ‘%appdata%\Zcash’
• Armory: Located in ‘%appdata%\Armory’
• Bytecoin: Located in ‘%appdata%\Bytecoin’
• Jaxx: Located in ‘%appdata%\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb’
• Exodus: Located in ‘%appdata%\Exodus\exodus.wallet’
• Ethereum: Located in ‘%appdata%\Ethereum\keystore’
• Electrum: Located in ‘%appdata%\Electrum\wallets’
• AtomicWallet: Located in ‘%appdata%\atomic\Local Storage\leveldb’
• Guarda: Located in ‘%appdata%\Guarda\Local Storage\leveldb’
• Coinomi: Located in ‘%localappdata%\Coinomi\Coinomi\wallets’

As soon as the data is stolen, SamsStealer empties temporary files, packs all that is stolen into “Backup.zip,” and erases the parent directory.

Then it uploads Backup.zip to gofile.io and shares the download link via Telegram with a message reading “New goat Detected, Join Now: @SamsExploit.” 

This silent malware effectively steals a variety of sensitive data across browsers, applications, and crypto wallets on Windows devices targeted by users.

Knowing these emerging threats is important in structuring defensive strategies to prevent possible intrusions that may lead to compromising privacy and data breaches.

Recommendations

Here below we have mentioned all the recommendations:-

• Deploy advanced endpoint security with threat detection and prevention.
• Use robust antivirus/anti-malware to detect and remove malicious payloads.
• Regularly update systems, apps, and security software.
• Implement network segmentation to limit lateral movement.
• Train employees on identifying phishing and social engineering tactics.
• Configure firewalls to block malicious IPs and C2 communications.
• Monitor for suspicious processes, network activity, and data exfiltration.
• Enforce application whitelisting to prevent unauthorized executables.
• Have an incident response plan for malware infections.
• Stay updated on the latest threats and indicators of compromise (IOCs).
• Maintain regular backups to minimize ransomware/data loss impact.
• Follow least privilege principles to restrict user permissions.
• Build defenses based on threat intel and provide rules/IOCs.

IOCs

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers