Hackers modify open-source ‘SapphireStealer’ malware, leading to multiple variants

Hackers are modifying the open source code of a popular malware strain, adding tools and functions that make it easier to steal data.

Researchers at Cisco Talos said they have been tracking a number of variants of the SapphireStealer malware being used by multiple threat actors. The attacks typically steal sensitive information, including corporate credentials, which is then resold to other threat actors “who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.”

Cisco Talos threat researcher Edmund Brumaghin told Recorded Future News that SapphireStealer has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.

Hackers, he said, are improving and modifying the original SapphireStealer code base, extending it to support “additional data exfiltration mechanisms leading to the creation of several variants.”

"SapphireStealer is a good example of the implications of publicly releasing malware source code as it enables the rapid adoption and development of new variants by anyone who can download and edit it," Brumaghin explained.

In some cases, hackers were seen deploying SapphireStealer as part of a multi-stage infection process.

Cisco Talos noted in a report on Thursday that information stealing malware has become incredibly popular among threat actors in recent years, with several new strains emerging and being offered for sale or rent on criminal forums and marketplaces.

Information stealers are the go-to option for financially motivated hackers because they offer simple ways to extract sensitive corporate account credentials, access tokens and data that can be leveraged in future attacks.

“In many cases, the credential logs generated by information stealers are monetized and the network access they provide is sold to other threat actors who may use them to begin operating toward various post-compromise mission objectives, such as espionage or ransomware/extortion,” the researchers said.

The researchers said hackers almost immediately began to experiment with changes to the stealer after it was released, uploading new versions to public malware repositories beginning in mid-January 2023. Several other versions of SapphireStealer were seen uploaded throughout 2023.

The original malware allows hackers to get information about the victim’s device, screenshots, cached browser credentials, files stored on the system that match a predefined list of file extensions and more. It also searches for credential databases for browsers like Chrome, Opera, Brave, Microsoft Edge and more.

The changes made to the malware mostly revolve around making data exfiltration easier and alerting hackers to newly acquired infections. Some updates also change the file types being sought, but many simply streamline the malware’s operations.

Some of the updates include operational mistakes from hackers, allowing researchers to access information leading to the identification of specific threat actors.

Last week, Cisco Talos researchers warned that a hacking group working on behalf of the North Korean government was increasingly relying on open-source tools and frameworks during the initial access phase of their attacks.

Several cybersecurity experts said the use of open-source tools allowed hackers to raise fewer red flags and skip the process of developing capabilities from scratch.

In its report on SapphireStealer, Cisco Talos warned that a byproduct of readily available and open-source malware codebases is that the “barrier to entry into financially motivated cybercrime has continued to decrease over time.”

“This trend has become apparent when analyzing campaigns run by individuals or groups that demonstrate inexperience in establishing operational security throughout the various stages of the attack lifecycle,” they explained.