Hackers Selling GlorySprout Malware in Underground Fourm for $300

GlorySprout stealer, advertised on the XSS forum in early March 2024, is a C++ stealer sold for $300 with lifetime access and temporary payload encryption, that includes a loader, anti-CIS execution, and a non-functional grabber module. 

Taurus Stealer, a C++ stealer with a Golang panel, emerged for sale on XSS in April 2020 and shared similarities with Predator Stealer in encryption, bot ID format, anti-VM features, and code naming conventions. 

There is mention of anti-VM and keylogging functionalities, but their existence has not been confirmed. Additionally, the stealer enables log backup and the ability to ban certain countries or IPs. It has been recognized as a clone of Taurus Stealer.

Taurus Stealer panel

It also reportedly ended development in 2021, but cracked versions and possibly leaked source code have surfaced on Telegram, potentially explaining the continued circulation. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Technical Analysis of the GlorySprout 

According to RussianPanda, a Senior Threat Intelligence researcher, eSentire, GlorySprout dynamically resolves APIs by hashing them using operations like multiplication, addition, and XOR and shifting target system libraries like shell32.dll and wininet.dll. 

GlorySprout panel

It uses specific offsets to access these hashed API values and implements anti-analysis techniques by checking for specific language identifiers and obfuscating strings using XOR and arithmetic operations. 

 hashing process involves operations such as multiplication, addition, XOR, and shifting

GlorySprout creates persistence via a scheduled task named “\WindowsDefender\Updater” that executes a secondary payload dropped in the %TEMP% folder. 

It also uses a function to generate random strings for various purposes, including filenames and RC4 keys, but this function might not be truly random, whereas the C2 address for communication is retrieved from the resource section of the unpacked payload.  

An infected machine communicates with the C2 server on port 80 disguised as a browser and sends a POST request with an encrypted BotID and a predefined user agent. 

The RC4 key for encryption is generated with a constant initial state value, resulting in the same key for every check-in and the server responds with an encrypted configuration detailing data to steal (browser history, wallets, etc.) and further actions (downloading secondary payload, self-deletion). 

The machine harvests data, encrypts it with the received RC4 key and sends it back to the server. Upon receiving a success message, the machine signals completion and potentially downloads another malicious payload. 

Indicators Of Compromise

GlorySprout, a stealer program written in Golang, utilizes SQL databases likely processed through the sqlx library and the analysis of the database reveals mentions of “taurus,”  suggesting GlorySprout is a clone of the Taurus Stealer code. 

Decrypted browser passwords are found in logs stored in General/forms.txt, indicating server-side decryption. 

GlorySprout differs from Taurus Stealer in that it does not download additional DLLs and lacks anti-VM features, which suggests GlorySprout may not achieve the same level of popularity as other stealers. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *