AsukaStealer Malware Targets Browsers and Crypto Wallets for $80 a Month

A new and sophisticated malware named AsukaStealer has emerged on the cybercrime scene, offering its malicious services for a surprisingly low monthly fee of $80. This C++ based malware, marketed on a Russian-language forum, boasts customizable configurations and a user-friendly web interface, making it a potent tool for cybercriminals.

Login page of AsukaStealer malware

Security researchers at Quick Heal Technologies have unveiled AsukaStealer’s extensive capabilities, which include:

• Browser Data Theft: Targeting a wide array of browsers like Firefox, Chrome, and Edge to extract login credentials, cookies, and extension data.
• Application Targeting: Extracting sensitive information from cryptocurrency wallets, FTP clients, messaging apps, and gaming software.
• Data Exfiltration: Stealing files and capturing screenshots from infected systems.
• Coin Miner Deployment: Downloading and executing a cryptocurrency miner on compromised devices.

The malware’s developers have implemented a sophisticated data exfiltration process, utilizing unique identifiers for each stolen file to enhance tracking and organization. The researchers also discovered that AsukaStealer downloads a configuration file from a command-and-control (C2) server, further demonstrating its complex and evolving nature.

AsukaStealer employs sophisticated techniques to evade detection and maximize its effectiveness:

• API Hashing Technique: Initially uses this method to complicate analysis and avoid detection.
• Base64 and Hexadecimal Encoding: Utilizes encoded values for critical operations. For instance, the key “1d6f6623f5e8555c446dc496567bd86e” and the base64-encoded C2 address “WRBCFgwZHQZIAVcWAwMbUQEOBVRTBA==” decode to the C2 server address hxxp://5.42.66.25:3000/.
• Data Exfiltration: Collects extensive system details, including desktop version, language ID, CPU details, OS version, RAM, and time zone. It targets specific regions such as Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, and Russia.

The malware meticulously collects and transmits crucial files needed to decrypt browser data, including cookies.sqlite, logins.json, cert9.db, and key4.db. Each file is associated with a unique UUID generated using the UuidCreate function, which enhances the organization and tracking of exfiltrated data. This method is also employed for other data extracted from the host, such as cryptocurrency wallets, the Grabber module, Steam, and Telegram.

AsukaStealer appears to be particularly focused on users in Eastern European and Central Asian countries, but its widespread availability and ease of use make it a threat to individuals and organizations worldwide. Anyone using popular web browsers or storing sensitive data on their computers could be a potential target.