Raven Stealer Unmasked: Telegram-Based Data Exfiltration
Summary:
Cyfirma's analysis reveals Raven Stealer as a rapidly spreading, lightweight information-stealing malware crafted in Delphi and C++ that targets Windows OS. It features a GUI that enables the user to generate a customized stub payload either in its original form or packed with UPX. The malware performs system-wide enumeration to locate stored credentials on the infected machine. It efficiently targets sensitive data like passwords, cookies, payment details, cryptocurrency wallets, VPN clients, and gaming platforms from Chromium-based browsers with minimal digital footprint. The malware is promoted under the guise of educational use, but it actually exhibits malicious functionality. The malware employs stealthy in-memory techniques and reflective process hollowing to evade detection, directly injecting its payload and bypassing Chromium's App-Bound Encryption. Additionally, Raven Stealer utilizes embedded Telegram bot tokens and chat IDs for exfiltration, zipping stolen data, and sending it via the /sendDocument API. Attackers can directly embed configuration details, such as Telegram bot tokens and chat IDs, into the malware's compiled payload thanks to its modular architecture and built-in resource editor. Distributed and marketed by the ZeroTrace Team through GitHub and Telegram, Raven Stealer represents a high-impact Malware-as-a-Service (MaaS) product for script kiddies, enhancing the accessibility of cybercrime. The compiled binaries are UPX-packed for evasion, unlike Python-based stealers, and the malware executes in a fully hidden state.
Security Officer Comments:
Raven Stealer exemplifies the new threat landscape where sophisticated functionalities are packaged into highly accessible tools and mass-marketed to cybercriminals, significantly lowering the barrier to entry for high-impact attacks. Its use of in-memory techniques and reflective process hollowing is an effective evasion tactic, making it particularly challenging for traditional EDR solutions that rely heavily on disk-based indicators or the triggering of user-land hooks. The shift from conventional C2 servers to Telegram-based exfiltration is a notable aspect of the campaign, offering attackers real-time data transmission, campaign management, and malware distribution that reduces infrastructure overhead and increases anonymity. This attack model, coupled with its distribution via the legitimate platform GitHub, solidifies its position as a compelling MaaS offering. The "educational use" guise, despite clear malicious intent, underscores the deceptive tactics employed by malware developers to avoid scrutiny and responsibility. Cybersecurity defenses should adapt to counter these stealthy, modular, and easily deployable threats, emphasizing proactive monitoring of less conventional C2 channels to detect and mitigate the impact of such stealers.
Suggested Corrections:
IOCs are available here.
https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/
Cyfirma's analysis reveals Raven Stealer as a rapidly spreading, lightweight information-stealing malware crafted in Delphi and C++ that targets Windows OS. It features a GUI that enables the user to generate a customized stub payload either in its original form or packed with UPX. The malware performs system-wide enumeration to locate stored credentials on the infected machine. It efficiently targets sensitive data like passwords, cookies, payment details, cryptocurrency wallets, VPN clients, and gaming platforms from Chromium-based browsers with minimal digital footprint. The malware is promoted under the guise of educational use, but it actually exhibits malicious functionality. The malware employs stealthy in-memory techniques and reflective process hollowing to evade detection, directly injecting its payload and bypassing Chromium's App-Bound Encryption. Additionally, Raven Stealer utilizes embedded Telegram bot tokens and chat IDs for exfiltration, zipping stolen data, and sending it via the /sendDocument API. Attackers can directly embed configuration details, such as Telegram bot tokens and chat IDs, into the malware's compiled payload thanks to its modular architecture and built-in resource editor. Distributed and marketed by the ZeroTrace Team through GitHub and Telegram, Raven Stealer represents a high-impact Malware-as-a-Service (MaaS) product for script kiddies, enhancing the accessibility of cybercrime. The compiled binaries are UPX-packed for evasion, unlike Python-based stealers, and the malware executes in a fully hidden state.
Security Officer Comments:
Raven Stealer exemplifies the new threat landscape where sophisticated functionalities are packaged into highly accessible tools and mass-marketed to cybercriminals, significantly lowering the barrier to entry for high-impact attacks. Its use of in-memory techniques and reflective process hollowing is an effective evasion tactic, making it particularly challenging for traditional EDR solutions that rely heavily on disk-based indicators or the triggering of user-land hooks. The shift from conventional C2 servers to Telegram-based exfiltration is a notable aspect of the campaign, offering attackers real-time data transmission, campaign management, and malware distribution that reduces infrastructure overhead and increases anonymity. This attack model, coupled with its distribution via the legitimate platform GitHub, solidifies its position as a compelling MaaS offering. The "educational use" guise, despite clear malicious intent, underscores the deceptive tactics employed by malware developers to avoid scrutiny and responsibility. Cybersecurity defenses should adapt to counter these stealthy, modular, and easily deployable threats, emphasizing proactive monitoring of less conventional C2 channels to detect and mitigate the impact of such stealers.
Suggested Corrections:
IOCs are available here.
- Endpoint Detection & Response (EDR) and Antivirus
- Deploy advanced EDR solutions capable of behavioral analysis to detect anomalous activities such as credential harvesting, ZIP file creation in temp directories, and clipboard access.
- Ensure antivirus/antimalware software includes real-time protection and heuristic scanning to detect packed binaries (e.g., UPX-packed executables).
- Use YARA rules to proactively hunt for known indicators associated with Raven Stealer, such as strings related to Telegram API usage and stolen data paths.
- Network and TLS Traffic Monitoring
- Monitor for outbound connections to api.telegram[.]org, especially from unusual processes or user directories, as this is a key C2 and exfiltration vector.
- Deploy TLS/SSL inspection at the gateway level where legally and technically feasible, to identify suspicious encrypted traffic patterns.
- Implement DNS filtering or IP-based blocking of Telegram C2 endpoints if Telegram is not required for business use.
- Application Whitelisting and Execution Control
- Restrict execution of unauthorized binaries, especially from %Temp%, %AppData%, and %LocalAppData% directories.
- Prevent execution of binaries with high entropy or known packing signatures (e.g., UPX) in user-writable directories.
- Email and Download Filtering
- Configure email gateways to block executable attachments, archive files containing executables, or obscure formats (e.g., .3mf.exe) used to evade detection.
- Employ browser sandboxing and download monitoring to prevent unauthorized payload delivery.
- Credential Management and Browser Hardening
- Advise users not to store credentials or payment information in browsers. Use enterprise password managers with MFA support.
- Disable browser autofill and password saving features.
- Regularly clear stored browser data and cookies across endpoints.
- Telegram and GitHub Monitoring
- Monitor and restrict the use of unauthorized Telegram applications on corporate systems. Implement DLP (Data Loss Prevention) to identify suspicious data progress.
- Regularly scan GitHub and dark web platforms for new instances of Raven Stealer or associated ZeroTrace artifacts using threat intelligence feeds and code similarity detection tools.
- User Awareness and Training
- Conduct ongoing phishing simulation campaigns and train employees on malware delivery tactics like disguised executables (e.g., invoice.3mf.exe) and fake educational tools.
- Warn users about the risks of downloading software from GitHub repositories without validation.
- Incident Response Preparedness
- Ensure incident response plans account for credential-stealing malware and C2 over encrypted messaging platforms.
- In the event of detection, revoke all browser-stored credentials, invalidate sessions, and perform password resets.
- Capture forensic images and logs for deeper analysis and evidence preservation.
https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/