Celestial Stealer: Sophisticated Malware Hijacking Your Logins

Researchers discovered Celestial Stealer, a feature-rich JavaScript infostealer offered as a Malware-as-a-Service (MaaS) on Telegram, which comes in two variants: an Electron application and a NodeJS single application, both designed to target Windows 10 and 11 systems.  

The malware’s extensive data theft functionalities can be accessed by prospective buyers through a variety of subscription tiers, including weekly, monthly, and lifetime subscriptions.

It exhibits comprehensive browser targeting capabilities, encompassing not only Chromium and Gecko-based browsers but also popular applications like Steam, Telegram, and cryptocurrency wallets including Atomic and Exodus. 

Service provider account on Telegram

To achieve this data exfiltration, the malware utilizes covert techniques to steal a wide range of sensitive information, including cookies, autofilled data, saved passwords, credit card details, and browsing history. 

It even carefully gathers details on visited URLs and their access frequency, where researchers observed that Celestial Stealer, at the time of their report, lacked the capability to bypass the app-bound encryption implemented within Chromium-based browsers. 

Users of Chrome or other browsers based on Chromium have the opportunity to implement a potential mitigation strategy, provided that they ensure they are utilizing the most recent security updates.

Subscription options seen on sellix.io website

Beyond its adeptness at browser-targeting, Celestial Stealer poses a significant threat due to its ability to bypass security measures within popular applications like Steam and cryptocurrency wallets. 

It allows the malware to pilfer sensitive data like cryptocurrency wallet credentials or Steam login information, potentially resulting in substantial financial losses for victims.  

The availability of Celestial Stealer as a MaaS offering on Telegram significantly reduces the barrier to entry for cybercriminals, as it eliminates the need for them to possess advanced malware development expertise. 

Fake error message being displayed

This makes it even more critical for users and organizations to implement robust security measures, which include keeping software applications updated, employing strong passwords and multi-factor authentication, and remaining vigilant about suspicious links or attachments.

However, Celestial Stealer isn’t invincible, as researchers identified a potential chink in its armor—the inability to bypass the encryption employed by Chromium-based browsers, which underscores the importance of maintaining software up-to-date as browser vendors continuously release security patches to address vulnerabilities.  

Organizations can leverage endpoint detection and response (EDR) solutions to proactively identify and contain malware infections within their networks, while security researchers recommend employing browser extensions specifically designed to detect and block malicious injections. 

 Infection chain

It can provide an additional layer of protection against attacks that target vulnerabilities within web browsers, while it is also crucial to exercise caution when downloading files or clicking on links from untrusted sources, as these are common entry points for malware infections. 

According to Trellix, by implementing a layered security approach that combines application whitelisting, EDR solutions, and user education on safe browsing practices, organizations can significantly reduce their attack surface and mitigate the risks posed by MaaS offerings like Celestial Stealer. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here