Cybersecurity researchers from FortiGuard Labs have discovered a new ‘Stealit’ info-stealing malware campaign that exploits an experimental Node.js feature to deliver its malicious payloads. The campaign represents a tactical shift for the malware operators, who are continuously evolving their methods to evade detection.
Previously, Stealit campaigns were constructed using Electron, a popular open-source framework for building desktop applications. This new variant has instead adopted a native Node.js feature known as Single Executable Application, or SEA.
Both methods are particularly effective for malware distribution because they bundle all necessary scripts and assets into a single standalone binary. This allows the malware to run on a victim’s system without needing a pre-installed Node.js runtime or any other dependencies to broaden its potential target base.
The malware is reportedly still being distributed through familiar channels, often disguised as installers for popular games or VPN applications. Recent samples have been found packaged using PyInstaller or within compressed archives, uploaded to file-sharing websites like Mediafire and Discord for unsuspecting users to download.
Stealit operates with a high degree of commercial professionalism. Stealit malware is openly sold on a dedicated website that has recently moved to new domains to avoid disruption. The site markets the tool as a provider of “professional data extraction solutions,” complete with different subscription tiers for its Windows and Android versions. The pricing plans range from weekly access to lifetime subscriptions, with the latter costing approximately $500 for the Windows stealer and $2,000 for the Android remote access trojan (RAT).
The operators also maintain a public Telegram channel, ‘StealitPublic’, to post updates and promotional offers to prospective clients. These posts often advertise discounts, encouraging the purchase and use of their malicious tools.
The infection process is a multi-layered affair designed to complicate analysis. It begins with an installer component that downloads additional modules from its command-and-control (C2) server. The Node.js scripts bundled within the executables are heavily obfuscated. Interestingly, analysis of the installer’s resource data revealed file paths containing the directory name ‘StealIt’ and ‘angablue’, indicating the usage of an open-source project designed to automate the building of Node.js SEA executables.
To avoid being scrutinised by security researchers, the malware employs an extensive suite of anti-analysis checks before proceeding with its main functions. It inspects the system for signs of a virtual environment by checking that the system memory is at least 2GB and that there are at least two CPU cores. It also checks for blacklisted hostnames, usernames, and file paths associated with virtualisation software like VMware and VirtualBox.
Further checks are performed to detect analysis tools by listing all running processes and loaded DLLs, looking for keywords related to debugging and monitoring. If the Stealit malware determines it is running inside an analysis environment, it will terminate and display a fake “Critical System Error Detected!” message box to mislead the user or researcher.
Once these checks are passed, the installer downloads three core components after writing a 12-character authentication key to a local file. This key is used for authenticating with the C2 server and is likely the same key subscribers use to access their victim control dashboard. To hinder detection, the malware adds its newly created directories to Windows Defender’s exclusion list using a PowerShell command.
The downloaded components are also Node.js scripts packaged as executables, though using a different open-source project called Pkg. The first, save_data.exe, is only executed if the Stealit malware has high privileges. It uses a tool derived from the open-source project ChromElevator, which is designed to extract information from Chromium-based browsers by bypassing their security features.
A second component, stats_db.exe, is responsible for broader information theft. Before starting its work, it attempts to terminate the processes of its target applications. It then extracts data from numerous browsers, messengers like WhatsApp and Telegram, and game-related platforms including Steam and the Epic Games Launcher. It also targets cryptocurrency wallets, both standalone applications and those installed as browser extensions.
The third component, game_cache.exe, is the primary client for communicating with the C2 server. To ensure it runs every time the system starts, it creates a Visual Basic script in the Windows startup folder. This module waits for instructions from the threat actor, which can include a wide array of invasive actions. According to Stealit’s own feature list, an attacker can stream a live view of the victim’s screen and webcam, remotely manage the system, execute commands, grab files from critical user folders, change the desktop wallpaper, and even deploy ransomware.
The cybercrime landscape is in constant flux, and this campaign is no exception. FortiGuard Labs noted that within weeks of observing the SEA-based variant, new Stealit samples had already reverted to using the Electron framework, this time adding AES-256-GCM encryption for its Node.js scripts.
Such an evolution shows that the threat actors behind the Stealit malware are actively developing their tool and changing tactics to stay ahead of security vendors. This campaign is a reminder of how attackers are willing to adopt even experimental technologies to achieve their aims, hoping to catch security applications and analysts off guard.
See also: DevSecOps at risk as security lags behind development speed
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.