Wish Stealer, a new Node.js-based malware, targets Windows users by stealing sensitive data from Discord, browsers, and cryptocurrency wallets.
The malware exploits user sessions, escalates privileges, and disables antivirus to remain undetected by extracting login credentials, cookies, and credit card details and monitoring 2FA codes.
It is Node.js-based malware that targets Windows users to steal sensitive data from various applications, including Discord, browsers, and cryptocurrency wallets, and leverages techniques like privilege escalation to access user sessions and extract personal information, posing a significant security risk.
The malware silently monitors the victim’s clipboard every three seconds, replacing detected cryptocurrency wallet addresses with the attacker’s address, which puts the victim at risk of financial loss by redirecting funds to the attacker’s wallet.
Hackers are creating a malicious PowerShell script to steal cryptocurrency, which intercepts and redirects transactions to unauthorized addresses using clipboard manipulation. The modular codebase includes anti-detection and browser functions for stealthy attacks.
They employ anti-VM techniques to evade analysis by terminating execution in virtual environments and target Chromium-based browsers, stealing encrypted data like cookies, passwords, and bookmarks, which they then decrypt and transmit to attackers via Discord Webhooks.
It scans the victim’s system for confidential keywords and file extensions related to financial as well as personal data and then exfiltrates the discovered information to a remote server without alerting the user, compromising their sensitive data.
The malware copies itself to the `$APPDATA` folder, masks itself as a legitimate Windows service, persists on system boot, and steals session cookies from popular social media apps, bypassing two-factor authentication and granting unauthorized access to victim accounts.
By targeting cryptocurrency wallets, it includes both standalone software as well as browser extensions and steals sensitive data like private keys and seed phrases by accessing offline data folders or compromising browser extensions, potentially leading to significant financial losses for victims.
The stealer archives stolen data as “wish.zip” in a temporary folder and uploads it to Gofile.io using the uploadGofile function, and then sends the download link to the attacker’s Discord server via the webhook API.
The Node.js server generated a ZIP file containing sensitive data, including system information and potentially personal data extracted from Discord accounts via malicious JavaScript injection.
The Wish Stealer malware was released in October 2024 and promoted by a threat actor group on Discord since late September 2024, likely using YouTube profiles to further their operations.
According to Cyfirma, it is a sophisticated Node.js malware that targets Windows users, stealing sensitive data using advanced techniques like session hijacking and privilege escalation to bypass security and exfiltrate credentials.
Implement comprehensive endpoint security measures, including up-to-date antivirus, EDR solutions, application whitelisting, MFA, and regular software updates.
While training users to recognize threats and restrict script execution, as well as secure critical data, enable network monitoring, and maintain regular backups to mitigate risks from malware attacks.
.webp?w=1200&resize=1200,0&ssl=1 "New Wish Stealer Malware Extracts Sensitive Data from Chromium Browsers")
