SolyxImmortal Malware Targets Turkish Users with Python-Based Data Theft
A new Python-based malware, SolyxImmortal, is actively stealing browser passwords, cookies, files, and keystrokes from Windows systems, with a notable focus on Turkish-speaking users.
A sophisticated new malware strain named SolyxImmortal has emerged, employing Python to pilfer sensitive data from Windows systems. Researchers have observed this malware targeting Turkish-speaking users specifically, embedding Turkish keywords related to banking and email services within its code to trigger targeted screenshot captures. This indicates a highly customized approach by the threat actors behind SolyxImmortal.
The malware operates with stealth and efficiency, utilizing multi-threading to perform its malicious tasks concurrently without raising immediate suspicion. Once executed, SolyxImmortal copies itself to the user's APPDATA folder, masquerading as a legitimate Windows graphics driver file. It then establishes persistence by creating a registry key, ensuring it launches automatically with every system startup.
SolyxImmortal's data theft capabilities are extensive. It targets saved credentials from popular Chromium-based browsers like Chrome, Edge, Brave, and OperaGX by accessing and decrypting their local password databases. Stolen credentials are saved in a file named 'sifreler.txt,' which translates to 'passwords' in Turkish. Furthermore, the malware collects cookies from Firefox and systematically searches user directories for documents in common formats such as .txt, .pdf, .docx, and .xlsx.
Beyond credential and file theft, SolyxImmortal functions as a potent keylogger, capturing every keystroke in real-time. This captured data is periodically packaged into JSON blobs and transmitted to the attackers. The malware also takes routine screenshots every two minutes, with the ability to capture immediate screenshots when specific sensitive keywords appear in the active window's title, further enhancing its espionage capabilities.
Data exfiltration is handled discreetly through Discord webhooks. Stolen information is packaged and sent directly to an attacker-controlled Discord channel, blending malicious traffic with legitimate user activity. This method is increasingly favored by malware authors due to Discord's low likelihood of being blocked by firewalls and its common usage.
To evade detection, SolyxImmortal employs several obfuscation techniques. It names its executable 'win_gfx_driver.exe' and sets its file attributes to hidden and system, making it invisible in standard file explorers. The persistence registry key, named 'WindowsGfxDriver,' also mimics legitimate system components, potentially bypassing casual security checks.
While the analyzed sample lacked active webhook URLs, previous reports confirm that live versions utilize real Discord endpoints for data exfiltration. The malware's small file size, just over 10,000 bytes, belies its significant potential for harm, making it a concerning threat for its targeted user base.