Hybrid Analysis researchers identified “Shuyal,” a new infostealing malware exfiltrating credentials and system data from 19 browsers, including privacy-focused options, while employing advanced system reconnaissance and evasion techniques.
Shuyal, named from unique identifiers in its executable’s PDB path, targets a wide array of browsers, encompassing mainstream applications such as Chrome and Edge, alongside privacy-oriented browsers like Tor. Its capabilities extend beyond credential theft, a common function among stealers. The malware actively engages in system reconnaissance, meticulously gathering information pertaining to disk drives, input devices, and display configurations. Furthermore, Shuyal captures system screenshots and clipboard content. This collected data, including any stolen Discord tokens, is subsequently exfiltrated using a Telegram bot infrastructure.
The malware incorporates sophisticated defense evasion techniques. A notable method involves the automatic termination and subsequent disabling of Windows Task Manager. This is achieved by modifying the “DisableTaskMgr” registry value. Shuyal also maintains operational stealth through self-deletion mechanisms. After completing its primary functions, the malware removes traces of its activity by employing a batch file. This process ensures minimal forensic footprint on the compromised system.
In addition to Chrome, Edge, and Tor, Shuyal’s extensive targeting list includes Brave, Opera, OperaGx, Yandex, Vivaldi, Chromium, Waterfox, Epic, Comodo, Slimjet, Coccoc, Maxthon, 360browser, Ur, Avast, and Falko. The malware’s operational sequence involves accessing and exfiltrating browser and system information to an attacker-controlled server. Hybrid Analysis notes that Shuyal elevates evasion tactics through unusually stealthy methods.
Upon deployment, Shuyal immediately disables Windows Task Manager on the affected machine. Following this, it attempts to access login credentials from its targeted list of browsers. The malware spawns multiple processes designed to retrieve specific hardware details. These details include the model and serial numbers of available disk drives, information concerning the keyboard and mouse installed on the machine, and comprehensive details about the monitor attached to the computer.
Concurrently, Shuyal captures a screenshot of the current active display and steals data present in the system clipboard. The stealer utilizes PowerShell to compress a folder located in the “%TEMP%” directory. This compressed folder serves as a repository for the data awaiting exfiltration, which then occurs via a Telegram bot. The stealer exhibits stealth by deleting newly created files from the browsers’ databases and all files from the runtime directory that were previously exfiltrated. For persistence, Shuyal copies itself to the Startup folder.
The landscape of infostealing malware is characterized by continuous evolution, influenced by factors such as law enforcement operations. For instance, an FBI operation in May disrupted the Lumma stealer operation. This disruption, however, was noted to be temporary, with cybercriminals associated with Lumma appearing to regain strength.
Hybrid Analysis did not disclose specific distribution methods employed by attackers for the Shuyal stealer. Historically, other stealers have been disseminated through various channels, including social media posts, phishing campaigns, and captcha pages. Infostealers frequently precede more significant cyberattacks, such as ransomware deployments or business email compromise (BEC) schemes, posing broader enterprise threats.
Given the inherent risks associated with infostealing malware, Hybrid Analysis recommends that cybersecurity defenders leverage the insights presented in their blog post regarding Shuyal. This information is intended to facilitate the development of more effective detection and defense mechanisms. The provided insights include a comprehensive list of indicators of compromise (IOCs). These IOCs detail files created by the stealer, processes spawned during its operation, and the address of the Telegram bot utilized by the malware for data exfiltration.