Researcher warns: Java-Based Stealer Spreads via Cracked Software

JAVA-based stealer
Infection Mechanism

In the complex and constantly evolving world of cyber threats, a new sophisticated JAVA-based stealer has emerged, posing a significant threat to online security. Discovered by the Trellix Advanced Research Center in mid-November 2023, this malware campaign demonstrates a worrying advancement in cybercrime techniques.

The stealer, distributed through cracked software zip files, employs JDABuilder Classes to create an instance of the EventListener, which then uses a Discord bot channel. This innovative approach allows the malware to operate discreetly and efficiently.

Infection Mechanism | Image: Trellix Advanced Research Center

One of the most alarming aspects of this stealer is its ability to exfiltrate sensitive data. It targets a wide array of browsers, stealing cookies, screenshots, and system information. The malware meticulously gathers data including browser history, installed programs, and user credentials, exploiting vulnerabilities in popular browsers and operating systems.

This JAVA-based stealer is not just a simple data thief. It’s designed to perform a range of malicious activities, from capturing screenshots to exfiltrating browser cookies and user credentials. Its sophisticated exfiltration methods highlight the need for robust cybersecurity measures.

In its final stage, the malware sends all collected data to a Discord bot channel, demonstrating a cost-effective and discreet method of data transmission. This technique highlights the increasing use of legitimate platforms by threat actors for malicious activities.

“Discord webhook bot’s are more often used by Threat Actors for stealer activities and to form a URL for sending messages. Taking all of this into account, this threat will likely spread more in the wild, with additional users falling victim,” the researcher concluded.