Kinda Blog by CryptoLek

All things infostealers. Week 43, 2024

A brief look at all things infostealers for the week 43, 2024 (21.10.2024–27.10.2024). My-my, during week 43 were observed a number of updates to several infostealers. As usual, added few articles and news pieces that were interesting. Specially the “Braodo Stealer” one, haven’t heard about such stealer before.

XFiles Update

Note: The update posts are copy-pasted as is (and machine-translated if post was available only in Russian)

Microsoft Edge has changed the encryption of Cookies since version v130, to decrypt Cookies of the new Microsoft Edge you need to do a rebuild, it is worth noting that there will still be a knockback from old builds.

Screenshot from XSS forum

Lumma Update

Note: The update posts are copy-pasted as is (and machine-translated if post was available only in Russian)

Update 21.10 EN

  1. Added cookie collection in new versions of Microsoft Edge and Brave Browser
  2. Incognito cookies moved to a separate folder with designation
  3. cleaning Windows Defender 10/11 + Cloud + Run-Time
  4. Improved duplicate checking when tapping in Telegram
  5. Fixed a bug where cookies overlapped, resulting in invalid cookies
  6. Fixed transition between pages when sorting by likes in the marketplace

Screenshot from XSS forum

Update 27.10 EN

  1. Cleaning WD 10/11 + Cloud
  2. Changed method of storing data for search
  3. Changed method of sending logs to Telegram
  4. Replace common proxies

Screenshot from Lumma’s telegram channel

Xerph Update

Note: The update posts are copy-pasted as is (and machine-translated if post was available only in Russian)

Xerph 1.1.2 Loader + Stealer (Update) >>

Changes:
“Passwords” page will now show the browser name where the credentials were recovered
Optimized the behavior of the bot
Added 6 additional recoverable browsers:
Slimjet
AVG_Secure
Avast_Secure
Blisk
CCleaner
URBrowser

Screenshot from XSS forum

Vidar Update

Note: The update posts are copy-pasted as is (and machine-translated if post was available only in Russian)

TOTAL UPDATE! V_11.2

Quote:
It's finally time for adequate Chrome-based browser data collection methods! After all, it's not only chrome that has been updated, but other browsers as well. We have already done cookie collection and decryption on browsers like Chrome!

To all this we have redesigned the method of token recovery from the browser, which now allows you to recover Cookies with a token and not be exposed to fraud detection! However, restoring one token now works for 10 seconds!

Changes:

  1. A new method of collecting cookies from browsers
  2. New method to recover tokens, without fraud
  3. product and proxies are cleaned
  4. Hired a second developer
  5. Improved validity of tokens

Upgrade 11.3

We will try to release updates more often now! We have made some improvements that increased the speed of data delivery to our servers, as well as added the ability to collect data using a new method for all browsers like Chrome.

Changes:

  • New method of collecting cookies from all browsers
  • Improved performance

StealC Update

Note: The update posts are copy-pasted as is (and machine-translated if post was available only in Russian)

ATTENTION!
Our telegram account and channel were removed, at the moment the current tg you can find out in pm, or in jabber / tox

stealc v1.11 update

list of changes:

build:

  • improved collection of cookies from chromium 128+ (130 and further supported)
  • cookies collection from browser profiles implemented

web:

  • removed tg contacts from logs
  • added jabber and tox contacts
  • removed news section from admin area (due to channel bans)
  • removed cookie restore section (due to Google fixing the method; we are testing the new method and already provide it to some clients).

Screenshot from XSS forum

WhiteSnake Update

Note: The update posts are copy-pasted as is (and machine-translated if post was available only in Russian)

White Snake patch 1.6.3.5

  • Fixes with app bound cookie decryption. (rebuild required)
  • Updated C2 list.

Articles/News

Over 6,000 WordPress sites hacked to install plugins pushing infostealers

  • https://www.bleepingcomputer.com/news/security/over-6-000-wordpress-sites-hacked-to-install-plugins-pushing-infostealers/

Stealer here, stealer there, stealers everywhere!

  • https://securelist.com/kral-amos-vidar-acr-stealers/114237/

Braodo Stealer

  • https://fieldeffect.com/blog/unmasking-braodo-inside-the-operations-of-a-relentless-info-stealer

CryptoLek

, , , , , , ,