Tuesday, November 12, 2024
HomeCyber Security NewsCybercriminals Released Mini Stealer's Builder & Panel for Free on a Cybercrime...

Cybercriminals Released Mini Stealer’s Builder & Panel for Free on a Cybercrime Forum

Published on

Malware protection

A threat actor has recently released MiniStealer’s builder and panel for free on a cybercrime forum. Cyble Research and Intelligence Labs (CRIL) security analysts discovered this exploit during a routine threat hunting exercise carried out recently.

Threat actors can easily create malicious payloads using such builders, which can make them easy for them to generate. There is a lot of stuff that MiniStealer targets, but it mostly targets FTP applications and browsers that are based on Chromium.

Threat actors claim that their stealer can target different OS, including the following:- 

- Advertisement - SIEM as a Service
  • Windows 7
  • Windows 10
  • Windows 11

The same threat actor made a post sometime after the release of MiniStealer, where he sold the builder and panel for Parrot Stealer for the price of USD 50.

As stated in the report by the threat actor, this stealer is a modified version of MiniStealer. It is possible that the threat actor had added functionality in Parrot stealer that wasn’t present in MiniStealer.

Technical Analysis

The threat actor has leaked two folders from the zip file it has leaked. Here is a list of the files that are contained inside these folders:-

  • Builder: MiniStealerBuilder.exe, Stub
  • Panel: Web Panel Source code

Threat actor released a binary builder that was based on the .NET framework. In order to make the payload more powerful, it has the ability to include the details of C&C in it. 

The actual payload for the builder is located in a file called “stub” that is actually placed in the builder’s build folder. The C&C details are then written to the payload once this is completed so that the final payload can be created.

Test Reports are sent to the C&C server when the Test Button is clicked, in order to determine if the connection can be established with the server. There are three strings that are present in these logs:-

  • TestUser
  • TestPass
  • TestHost

The Mini Stealer application is a 64-bit .NET binary that incorporates Timestomping. Timestomping refers to the process of altering the timestamps of files.

In order to deflect unnecessary attention from forensic investigations, adversaries employ this technique when delivering their payloads.

Recommendations

Here below we have mentioned all the recommendations:-

  • The use of warez and torrent websites is not recommended as a source for downloading pirated software.
  • Ensure that your passwords are strong at all times.
  • Whenever possible, ensure that multi-factor authentication is enforced.   
  • Activate the auto-update feature that automatically updates your device or system software.
  • Make sure you use an anti-virus program that is reputed.
  • Whenever you receive an email that contains an attachment or a link that you are unsure of, do not open it.
  • Employers should be educated on how to protect themselves against malicious activity such as phishing or untrusted URLs, such as spam emails.  
  • In order to prevent malicious URLs from being used to spread malware, you should block them.
  • It is important to keep an eye on the beacons at the network level to identify malware and threat actors that may try to steal data from them.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...