<img src=”https://cdn.mos.cms.futurecdn.net/krBVBETP6cmxBcihGXQFy8.jpg” />
A new information-stealing malware has been spotted which is capable of exfiltrating quite a lot of sensitive information, and also disabling Antivirus programs to establish persistence on target endpoints.
Cybersecurity researchers from CYFIRMA have shared an in-depth analysis of the infostealer, which they call Yunit Stealer.
Yunit Stealer uses JavaScript to incorporate system utility and cryptographic modules, allowing it to execute tasks such as system information retrieval, command execution, and HTTP requests. It remains persistent on the target device by modifying the registry, adding tasks through batch and VBScript, and ultimately – by setting exclusions in Windows Defender.
Stealing passwords and credit card data
When it comes to its infostealing capabilities – Yunit is as potent as any other malware. It can steal system information, data saved in the browser (passwords, cookies, autofill information, etc.), as well as cryptocurrency wallet information. Besides passwords, it can also save credit card information stored in the browser, as well.
Once it collects all the information it deems useful, the malware will try to exfiltrate it either via Discord webhooks, or into a Telegram channel. It will also upload it to a remote server and generate a download link for further access. The link will also come with screenshots, allowing the threat actor to retrieve the information while maintaining anonymity and evading detection. Accessing the data via encrypted communication channels helps, too.
To reinforce the idea that Yunit is a nascent infostealer that is yet to demonstrate its prowess, CYFIRMA stressed that the Telegram channel was only set up on August 31, 2024, and that it currently counts 12 subscribers. Alternatively, the Discord account is currently inactive.