Fortinet’s FortiGuard Labs has uncovered a new campaign distributing the Stealit information-stealer via malicious installers masquerading as games and VPN.
Researchers detected a surge in a particular Visual Basic script that led them to discovery of samples bundled with PyInstaller and common compressed archives and uploaded to file-sharing platforms such as Mediafire and Discord. The installers are heavily obfuscated and use multiple anti-analysis techniques to evade detection.
Once executed, the Stealit malware harvests data from web browsers, including Google Chrome and Microsoft Edge, and from a wide range of apps like game platforms and marketplaces (Steam, Minecraft, Growtopia and Epic Games Launcher), messaging apps (WhatsApp and Telegram) and cryptocurrency wallets (Atomic, Exodus and browser-extension wallets).
Early samples abused Node.js’s experimental Single Executable Apps (SEA) feature to package malicious scripts into standalone executables that run on systems without Node.js installed. The feature increases file size by embedding the application and its dependencies in a NODE_SEA_BLOB resource stored as RCDATA; in observed samples the resource included original file paths referencing “StealIt” and “angablue,” indicating that threat actors used AngaBlue, an open-source tool that automates creation of Node.js SEA executables, alongside Stealit.
Weeks into the operation the adversary shifted tactics to return to Electron-based packaging, this time encrypting embedded Node.js scripts with AES-256-GCM. At the same time the campaign’s operators migrated their command-and-control infrastructure to new domains and launched a commercial panel selling Stealit as a “professional data extraction solution” on a subscription basis. The panel advertises RAT-style features such as file theft, webcam control, live screen monitoring and ransomware deployment for both Windows and Android, and offers instructional videos and paid plans (roughly $500 lifetime for Windows and about $2,000 for Android, according to the FortiGuard analysis).
“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed. Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard,” the report notes.
