Just in time for the Christmas Holidays, the official SantaStealer Telegram channel has announced that their stealer is ready for release. This update was originally reported by Rapid7, after identifying a Windows executable.
The announcement, published in both English and Russian, describes the Stealer as a “data theft program for Windows, developed in C.” The announcement goes on to provide a pricing breakdown for the product. Lifetime access is granted for $1000, while one month access costs $175.
Developers, IT Managers, and SOC teams can now expect to encounter this attack in the wild.
This malware strain has been widely advertised across Telegram channels and the dark web, originally under the BluelineStealer brand name. In their analysis, Rapid7 explained that the malware “collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection.”
Distribution
The malware is advertised across corners of the dark web as if it were a legitimate product. The SantaStealer Telegram channel displays a feature breakdown, explaining the capabilities that each plan offers. This type of product marketing is a stark reminder of how malware is fast becoming a profitable business, operating at scale, rather than being limited to technically sophisticated hackers.
Rapid7 report that one of the unusual features of this malware is that the decision whether to target the Commonwealth of Independent States (CIS), comprising many former Soviet states, is left up to individual users, rather than being hardcoded. This is also a strong indicator that the malware is of Russian (or Russia-aligned) origin.
Expert Insights recommends that companies take the usual precautions regarding unknown code and permission access practices. Ensure that you have endpoint protection solutions in place, and that user access is limited to an appropriate level for their job role.
