SamsStealer Infostealer Attack Windows Via Telegram

A new information stealer named SamsStealer has been discovered, which targets Windows systems and steals sensitive data from various browsers (Chrome, Edge) and applications (Discord, crypto wallets) and can silently extract passwords, cookies, and wallet credentials. 

The stolen information is compressed into a ZIP archive, uploaded to a file-sharing service, and the download link is sent to the attacker via Telegram, which poses a serious threat as it can steal a wide range of data and operate stealthily. 

A new information stealer malware called SamsStealer has been discovered targeting Windows systems, written in.NET and propagates through a Telegram channel named SamsExploit.

Telegram Channel

SamsStealer is designed to steal sensitive information from victim computers by targeting various browsers and applications, including Discord, Chrome, and Microsoft Edge, by stealing passwords, cookies, and cryptocurrency wallet data. 

It analyzes SamsStealer’s characteristics, execution flow, targeted applications, stolen data, communication methods, and how it cleans up traces after infection. Understanding how this malware works will help users and security professionals detect and protect against this threat. 

OSINT Investigation Reveals Multiple SamsStealer Samples

A new information stealer malware, SamsStealer, targets Windows systems and steals various sensitive data, including passwords, cookies, cryptocurrency wallet information (private keys and addresses), IP addresses, system information, Discord, and Telegram data. 

It gathers information from browsers (Chrome, Firefox, Opera, etc.) and applications (Discord, Telegram, etc.) and stores it in a temporary folder. 

The malware uses asynchronous processes for efficient data collection and employs a multi-step process to manage stolen data: compressing data into a ZIP file, uploading it to an online file-sharing platform (gofile.io), and sending the download link to the attacker via Telegram. 

Creation of Folder

According to Cyfirma, it, disguised as “amsiwala,”  targets Windows systems to steal sensitive data, and upon execution, it creates a temporary folder and hides the console window. 

The malware then gathers various information, including passwords, cookies, IP addresses, system details, messaging app data (Telegram), Discord information, and wallet information. 

It steals passwords and cookies from browsers like Chrome, Microsoft Edge, Brave, Chromium, EpicPrivacy, Opera, Opera GX, Vivaldi, and Yandex. The stolen data is formatted and stored in text files within the temporary folder for later exfiltration. 

 cryptocurrency holdings

The stealer malware targets various applications and browsers to steal sensitive information, and extracts Telegram session data by copying and compressing relevant files. For Discord, it gathers account details and tokens for potential unauthorized access. 

Additionally, it steals cryptocurrency wallet data by acquiring private keys and wallet addresses from known locations for different cryptocurrencies like Bitcoin, Ethereum, and Zcash, which allows attackers to gain unauthorized access to Telegram accounts, Discord accounts, and cryptocurrency holdings. 

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here