Open-source data stealers have become increasingly popular among threat actors due to their versatility, providing them with powerful reconnaissance tools to achieve malicious objectives. These data stealers can be highly stealthy if designed and configured effectively, making them hard to detect.
One of the biggest challenges in identifying the harmful actions of these open-source data stealers is their ability to operate quietly, relying on legitimate operations and blending in with regular network traffic. This makes it difficult for security systems to detect their presence and the potential damage they can cause.
Recently, cybersecurity researchers at Cyble Research and Intelligence (CRIL) stumbled upon a new open-source data stealer called ‘Exela’. On September 14th, a ‘Exela-V2.0-main.rar’ zip file was discovered, providing valuable insights into the workings of this malicious software.
The source code of this data stealer was traced back to a GitHub repository on August 17th, 2023, with researcher Yogesh Londhe being the first to notice it. The utility primarily operates through Discord webhook URLs, discreetly collecting private information from unsuspecting victims. This discovery sparked great interest in thoroughly analyzing the capabilities and effects of Exela Stealer.
The Exela Stealer builder is built on Python 3.10.0 or 3.11.0 and creates a customized stealer according to the preferences of the threat actor. To ensure its stealthiness, the stealer checks for an existing mutex named ‘Exela | Stealer | on | Top’. If it is found, the stealer stops and displays a message stating ‘mutex already exists’. However, if the mutex does not exist, the stealer proceeds with its data theft operations, cleverly using a fake error message as a diversion tactic.
To further enhance its stealth and avoid detection, the stealer checks for debugging or virtualization by gathering UUID and computer name information, comparing them against a hardcoded list. If a match is found, the stealer terminates its operations.
In order to achieve persistence, the Exela Stealer hides itself in the ‘C:appdatalocalExelaUpdateService’ directory, disguising itself as ‘Exela.exe’ while setting its attributes to hidden and system. Additionally, the stealer also creates a startup entry, allowing it to run automatically upon system boot. The user can choose between utilizing the Windows Registry (regedit) or Task Scheduler (schtasks) for this purpose.
The malicious nature of Exela Stealer becomes evident as it modifies Discord client files, granting unauthorized access and enabling extensive data collection. To achieve this, the stealer replaces the original code with custom injections sourced from a GitHub repository, ultimately sending all harvested data to the attacker’s webhook URL.
To ensure stealth and cover its tracks, the stealer saves all pilfered information in a unique folder and builds a detailed report message with custom elements. It then transmits this report via the previously mentioned Discord webhook, effectively delivering the stolen data to the threat actor. Finally, the stealer removes the original ZIP file and temporary directory to erase any evidence of its activities.
To protect yourself from vulnerabilities like these, it is crucial to use tools like Patch Manager Plus to efficiently patch over 850 third-party applications. By taking advantage of the free trial offered by Patch Manager Plus, you can ensure 100% security for your systems and safeguard against emerging threats.
ENND
