Full Report
In this investigation, we tracked a malware spam campaign that ultimately delivers Stealerium, a modular .NET infostealer with a broad feature set: credential theft, keylogging, file grabbing, webcam capture, clipboard hijacking, and Telegram‑assisted operator notifications and exfiltration.
Analysis Summary
# Tool/Technique: Stealerium
## Overview
Stealerium is a modular .NET infostealer distributed via a malware spam campaign. It is designed to achieve a broad range of illicit objectives on compromised systems, including credential theft, data exfiltration, and surveillance.
## Technical Details
- Type: Malware family (Infostealer)
- Platform: Windows (Inferred, as it is a common target for .NET stealers)
- Capabilities: Credential theft, keylogging, file grabbing, webcam capture, clipboard hijacking, Telegram-assisted C2 notifications/exfiltration.
- First Seen: Not specified in the provided context.
## MITRE ATT&CK Mapping
As direct mappings are not available in the text, the following are inferred based on the listed capabilities:
- **TA0001 - Initial Access** (Likely associated with the "malware spam campaign")
- **TA0005 - Defense Evasion** (Modular nature may support this)
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1056.001 - Input Capture: Keylogging
- T1113 - Screen Capture (If webcam capture is used for surveillance)
- T1114.002 - Clipboard Data
- **TA0010 - Exfiltration**
- T1567.002 - Exfiltration Over Web Service (Implied by Telegram use for notification/exfil)
## Functionality
### Core Capabilities
* Credential theft.
* Keylogging.
* File grabbing (searching for and stealing specified files).
* Clipboard hijacking.
### Advanced Features
* Modular design suggesting extensibility and updates.
* Webcam capture capabilities for surveillance.
* Use of Telegram for operator notifications and data exfiltration (C2 communication/exfil channel).
## Indicators of Compromise
* File Hashes: [N/A - Not specified in context]
* File Names: [N/A - Not specified in context]
* Registry Keys: [N/A - Not specified in context]
* Network Indicators: Telegram used for communications/exfiltration (operators use Telegram for C2/exfil).
* Behavioral Indicators: Execution of keylogging, manipulation of the clipboard, initiating webcam streams, and outbound communication directed via Telegram.
## Associated Threat Actors
* The context describes an observed campaign; specific threat actors are not named, only that the malware is deployed via a "malware spam campaign."
## Detection Methods
* Signature-based detection: Via known Stealerium file signatures or hashes (if known).
* Behavioral detection: Monitoring for attempts to capture keystrokes, hijack clipboard content, capture webcam data, or communicate out-of-band via services like Telegram for C2 activity.
## Mitigation Strategies
* Prevention measures: User training against links/attachments in spam campaigns. Email filtering to block malicious content.
* Hardening recommendations: Implementing application control to restrict execution of unsigned or suspicious .NET binaries. Monitoring for unexpected process behavior (e.g., an unassociated process accessing the webcam).
## Related Tools/Techniques
* Other .NET infostealers (e.g., RedLine, Vidar, Raccoon Stealer).
* Use of legitimate external services (like Telegram) for C2 communication and exfiltration.