Cross-Platform Node.js Stealer Targets Browser Credentials and Crypto Wallets on Windows, macOS, and Linux
SANS ISC analysts have dissected a cross-platform Node.js stealer that targets browser credentials and cryptocurrency wallet extensions across Windows (WSL), macOS, and Linux systems.
A newly analyzed cross-platform Node.js stealer is targeting browser credentials and cryptocurrency wallet extensions across Windows (WSL), macOS, and Linux, according to a detailed analysis published by the SANS Internet Storm Center. The malware, identified by SHA256 hash 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9, uses obfuscation.io-style code to hide its wrapper but embeds its malicious payloads in plaintext, making static analysis feasible.
The stealer's first payload is a browser credential harvester that supports an extensive list of Chromium-based browsers, including Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, and AVG Browser. It targets the standard `User Data` directories on Windows via the WSL path `/mnt/c/Users/${windowsUsername}/AppData/Local`, indicating the malware is designed to run on Windows Subsystem for Linux as well as native Linux and macOS environments.
Beyond credential theft, the malware specifically targets cryptocurrency wallet browser extensions by their Chrome extension IDs. The list includes 40 extension IDs corresponding to popular wallets such as MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Exodus, Ledger, Trezor, and many others. This dual focus on credentials and crypto assets suggests the stealer is designed for financial gain, likely aiming to drain both account access and cryptocurrency holdings.
The second payload is a recursive file exfiltration scanner that searches the victim's filesystem for sensitive files by name or extension. The pattern list is extensive, covering keywords like `.keystore`, `bank`, `financ`, `.env`, `config`, `metamask`, `phantom`, `bitcoin`, `ethereum`, `seedphrase`, `mnemonic`, `privatekey`, `password`, `credential`, `token`, `api_key`, and many more. This scanner targets configuration files, private keys, seed phrases, and authentication tokens, effectively aiming to steal any data that could grant access to online accounts or cryptocurrency wallets.
Data exfiltration is performed over port 8085, though the exact protocol is not detailed in the analysis. The SANS ISC analyst noted that the file did not run properly in a sandbox, so only static analysis was performed. The obfuscation technique, typical of obfuscation.io, involves a very long array of small Base64-encoded strings and low-level decoder functions that perform arithmetic operations.
While the stealer's cross-platform design is notable, the fact that the payloads are embedded in plaintext makes detection and analysis more straightforward for defenders. However, the broad targeting of both credentials and crypto wallets across multiple operating systems makes this a significant threat for individuals and organizations alike. Users are advised to enable multi-factor authentication, use hardware wallets for cryptocurrency storage, and monitor for unusual outbound connections on port 8085.