Analysts at Kaspersky Lab's Global Threat Research and Analysis Center have listed the stealers that have been most active since the beginning of 2024. According to the study, these included Acrid, ScarletStealer and SYS01.
Acrid was first discovered in December 2023. Interestingly, it is written in C++ for 32-bit systems. After carefully analyzing samples of the stealer, Kaspersky Lab found the reason for this move: the developer used the Heaven’s Gate technique, which allows 32-bit applications to access a 64-bit environment, which allows them to bypass some information security tools. Otherwise, the stealer is quite standard: it steals browser data, local crypto wallets, as well as files with specific names and application credentials.
ScarletStealer was found during analysis of the Penguish bootloader. The malware is characterized by a non-trivial approach to attack - most of its functionality is embedded in other binary files, including applications and Chrome extensions, which the stealer downloads to the victim’s device independently. When launched, ScarletStealer searches for cryptocurrencies and wallets using specific folder paths.
Kaspersky Lab experts call SYS01 a “relatively little-known stealer” that has been on the market since 2022, including under the names Album Stealer and S1deload Stealer. It is distributed through a malicious ZIP archive disguised as a porn video on one of the popular social networks. Researchers note that the collection of data from the browser in this solution is separated into a separate module called imageclass. The stealer has targeted users all over the world, but it mainly targets Algeria.
“Stealers are a real and still present threat. Such programs steal passwords and other confidential information, which can subsequently be used for other malicious purposes, and this leads, at a minimum, to large financial losses,” stated Tatyana Shishkova, leading information security threat researcher at Kaspersky Lab.
Acrid was first discovered in December 2023. Interestingly, it is written in C++ for 32-bit systems. After carefully analyzing samples of the stealer, Kaspersky Lab found the reason for this move: the developer used the Heaven’s Gate technique, which allows 32-bit applications to access a 64-bit environment, which allows them to bypass some information security tools. Otherwise, the stealer is quite standard: it steals browser data, local crypto wallets, as well as files with specific names and application credentials.
ScarletStealer was found during analysis of the Penguish bootloader. The malware is characterized by a non-trivial approach to attack - most of its functionality is embedded in other binary files, including applications and Chrome extensions, which the stealer downloads to the victim’s device independently. When launched, ScarletStealer searches for cryptocurrencies and wallets using specific folder paths.
Kaspersky Lab experts call SYS01 a “relatively little-known stealer” that has been on the market since 2022, including under the names Album Stealer and S1deload Stealer. It is distributed through a malicious ZIP archive disguised as a porn video on one of the popular social networks. Researchers note that the collection of data from the browser in this solution is separated into a separate module called imageclass. The stealer has targeted users all over the world, but it mainly targets Algeria.
“Stealers are a real and still present threat. Such programs steal passwords and other confidential information, which can subsequently be used for other malicious purposes, and this leads, at a minimum, to large financial losses,” stated Tatyana Shishkova, leading information security threat researcher at Kaspersky Lab.
