Gremlin Stealer Evolves With Resource-File Obfuscation and Crypto-Clipper Functionality
Gremlin stealer malware now embeds payloads in .NET resource sections with XOR encoding and employs commercial packing utilities with instruction virtualization to evade static analysis while expanding targeting to Discord tokens and cryptocurrency wallets.
Attack Brief
TargetWindows systems; web browsers; cryptocurrency wallets; Discord; FTP/VPN credentialsVectorMalware distribution (delivery mechanism not specified in report); resource-embedded payload execution; staged loading from .NET resourcesAttributionunattributed
Technical Details
MITRE ATT&CKT1005T1115T1056T1185T1040T1041T1140IoCshxxp[:]194.87.92[.]109SHA256:2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b
Impact
Confirmed DamageExfiltration of payment card details, browser cookies, session tokens, cryptocurrency wallet data, FTP and VPN credentials; active cryptocurrency wallet replacement (clipper functionality) to divert funds; browser session hijacking via WebSocket-based module
Mitigation
DetectionMonitor for .NET resource section access patterns; detect XOR-decrypted strings matching C2 URLs and exfiltration paths; hunt for WebSocket-based session hijacking attempts; identify clipboard monitoring for cryptocurrency wallet address patterns; track Discord token extraction module behavior
Context
Similar AttacksGremlin stealer employs resource-section obfuscation tactics previously observed in Agent Tesla, GuLoader, LokiBot, and Quasar RAT