Ddos According to a new deep-dive analysis by the Sublime Threat Research Team, a new infostealer dubbed TROX is actively exploiting human urgency through phishing emails disguised as legal debt warnings, ultimately delivering a sophisticated, multi-layer malware payload.
TROX Stealer, first observed in December 2024, is described as “an obscure and undocumented information stealer” designed to exfiltrate a variety of sensitive data. Its targets include stored credit cards, browser credentials, cryptocurrency wallets, and even session files for popular communication platforms like Discord and Telegram. The malware is marketed as a MaaS product, allowing cybercriminals to license it for short periods. “Like many other malware families being sold as MaaS, TROX could be licensed on a weekly basis for use in attack campaigns.” This MaaS model enables rapid deployment and iteration of attacks.
The primary delivery method for TROX Stealer involves sending “urgent-sounding emails” to victims across various industries. These emails, often employing language generated by Large Language Models (LLMs), create a sense of urgency related to debt or legal action. Examples of subject lines include:
- “Last Opportunity to Settle Debt Before Legal Action”
- “Urgent Notice: Legal Action Scheduled for Your Debt”
- “Final Warning: Legal Action Pending for Your Account”
The emails contain HTML rendered text with a link that, when clicked, leads to the download of an executable file containing the TROX Stealer.
The report delves into the technical aspects of the malware installation process, highlighting the author’s efforts to evade detection and analysis. The malware employs multiple layers of obfuscation, including Nuitka-compiled executables, Zstd-compressed files, and embedded JavaScript within a Node.JS interpreter. Notably, the use of WebAssembly (Wasm) with extensive junk code further complicates reverse engineering.
“This suggests a high level of obfuscation and anti-analysis, which was proven during reverse engineering that discovered hundreds of thousands of lines of junk code.”
Despite the advanced evasion techniques, the core functionality of TROX Stealer relies on established methods. It steals information by querying application databases and exfiltrates data through platforms like GoFile and Telegram.
“Most forms of stealing information were from querying application databases for sensitive information, a known and accepted risk in most web browsers.”
The Sublime Threat Research report emphasizes that while TROX Stealer uses advanced evasion, its core data stealing methods are well-known, providing opportunities for detection and prevention.
Related Posts:
- Lumma Stealer MaaS: Clipboard Hijacking and LOLBins Used in Latest Campaign
- Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
- The Rise of Mac Malware: 2024 Threat Report Reveals Alarming Trends
About The Author
