“Wish Stealer” Malware Uncovered: Major Security Threat Revealed!

A new Node.js-based malware dubbed “Wish Stealer” has surfaced, targeting Windows users to exfiltrate sensitive data from Discord, Chromium-based browsers, and cryptocurrency wallets.

According to the post from Cyberfeeddigest, First observed in October 2024 and promoted by threat actors on Discord since late September 2024, this malware employs advanced evasion techniques, session hijacking, and clipboard manipulation to compromise victims.

Technical Overview of the Attack

Wish Stealer operates through a modular Node.js framework, executing stealthy attacks via:

• Session Hijacking: This technique extracts cookies, login credentials, and session tokens from Discord, Chromium browsers (Chrome, Edge), and platforms like Spotify, TikTok, and Epic Games, bypassing two-factor authentication (2FA).
• Cryptocurrency Wallet Targeting: Monitors clipboards every 3 seconds, replacing copied wallet addresses with attacker-controlled ones. It also steals private keys and seed phrases from wallets like MetaMask, Trust Wallet, and Coinbase by accessing offline data folders and browser extensions.
• Privilege Escalation: Gains administrative access to disable Windows Defender, terminate debugging tools, and evade virtual machine (VM) analysis.
• Data Exfiltration: Archives stolen data (passwords, credit card details, browser history) into wish.zip, uploads it to Gofile.io via API, and shares the download link via Discord webhooks.

Attack Vectors and Evasion Techniques

The malware employs multi-stage tactics to avoid detection:

1. Initial Infection: Distributed via malvertising, phishing, or Discord promotions. A PowerShell script deploys the malware, which copies itself %APPDATA%\Microsoft\Protect\WindowsSecurityHealthService.exe and adds persistence via Windows Registry Run keys.
2. Anti-Analysis Measures:
   • Terminates execution in VM environments.
   • Hides console windows and process activity.
   • Masquerades as a legitimate Windows service.
3. Data Harvesting: Scans for files with extensions like .doc, .pdf, and .db, and searches for keywords (e.g., “crypto,” “backup codes”) to exfiltrate financial and personal data.

Impact on Victims

• Financial Theft: Redirects cryptocurrency transactions via clipboard manipulation, leading to irreversible losses.
• Account Takeovers: Uses stolen Discord and social media cookies to hijack accounts, even with 2FA enabled.
• Corporate Espionage: Targets enterprises by extracting confidential documents and credentials stored in browsers.

Indicators of Compromise (IoCs)

Indicator	Type	Purpose
hxxps://github[.]com/k4itrun/wish	GitHub Repository	Malware source code
contact@w1sh[.]xyz	Email	Threat actor contact
hxxps://discord[.]com/invite/BYANEGfyCu	Discord Server	C2 communication
7ef9df7a5a4931c6f1bbc9aea0fea977	MD5 Hash	Malware sample linked to Wish Stealer

Mitigation Recommendations

• Endpoint Detection and Response (EDR): Deploy solutions to monitor for suspicious Node.js processes or registry modifications.
• Application Whitelisting: Block unauthorized scripts, particularly PowerShell and Node.js executables.
• Multi-Factor Authentication (MFA): Enforce MFA for critical accounts (e.g., Discord, crypto wallets).
• Network Monitoring: Flag outbound connections to Discord webhooks or Gofile.io.
• User Training: Educate teams on phishing tactics and malvertising red flags.

CYFIRMA researchers warn that Wish Stealer’s modular design and active promotion by groups like “Aurita Stealer” signify a rising trend in credential-focused malware.

Organizations and individuals are urged to adopt layered defenses to mitigate this evolving threat.

Also Read:

Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters

See more