Stealing Login Credentials from 19 Major Browsers
A sophisticated new information stealer named SHUYAL was recently discovered by Hybrid Analysis.
It has demonstrated extensive capabilities in credential extraction from 19 different web browsers, including popular ones like Google Chrome, Microsoft Edge, Opera, Brave, and Yandex, as well as more specialized ones like Opera GX, Vivaldi, Chromium, Waterfox, Tor, Epic Privacy Browser, Comodo Dragon, Slimjet, Coc Coc, Maxthon, 360 Secure Browser, UR Browser, Avast Secure Browser, and Falkon.
Named after unique identifiers in the executable’s PDB path, which also references a “sheepy” username, SHUYAL represents a previously undocumented threat that integrates comprehensive browser targeting with advanced system reconnaissance.
Advanced Capabilities in Credential Theft
The malware performs detailed enumeration of hardware components, retrieving models and serial numbers of disk drives via WMIC commands, alongside descriptions and device IDs for keyboards, pointing devices like mice, and desktop monitors.
This reconnaissance extends to querying the desktop wallpaper path using PowerShell, although incomplete commands like “wmic get name” yield no actionable data.
Beyond hardware profiling, SHUYAL captures screenshots using GDI+ APIs such as GdiplusStartup, BitBlt, and GdipSaveImageToFile, saving them as “ss.png,” and extracts clipboard contents via OpenClipboard and GetClipboardData, storing them in “clipboard.txt.”
It further targets Discord applications standard, Canary, and PTB stealing authentication tokens, which are logged alongside browser data in files like “tokens.txt” and “debug_log.txt” within a temporary “runtime” directory.
SHUYAL’s operational sophistication is evident in its evasion tactics, including the aggressive termination of the Windows Task Manager process through TerminateProcess calls, followed by disabling it entirely by setting the “DisableTaskMgr” registry key to 1 under HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
This prevents users from monitoring or interrupting the malware’s activities. For persistence, the stealer leverages the SHGetSpecialFolderPathA API to locate the user’s Startup folder (CSIDL_STARTUP) and copies itself there using CopyFileA, ensuring automatic execution on system boot.
Credential theft is executed meticulously: the malware locates “Login Data” databases from the targeted browsers, copies them to the current directory (e.g., “chrome_Data.db” for Chrome), and runs SQL queries like “SELECT origin_url, username_value, password_value FROM logins” to extract credentials.
Passwords are decrypted using the browser’s master key from the “Local State” file, processed via DPAPI’s CryptUnprotectData after Base64 decoding, and saved in “saved_passwords.txt.”
Browsing history is similarly pilfered from files like “\User Data\Default\History” and stored as “history.txt,” demonstrating a thorough approach to data aggregation.
Self-Deletion Mechanisms
To maintain stealth, SHUYAL employs modern exfiltration methods, compressing the “runtime” directory into “runtime.zip” via PowerShell’s Compress-Archive cmdlet and transmitting it to a Telegram bot at hxxps://api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864.
This combines Discord token theft with Telegram-based data relay, ensuring efficient command-and-control communication.
Network events are monitored using WSAEnumNetworkEvents for socket-based detections, adding another layer of operational awareness.
According to the Report, Post-exfiltration, the malware deletes traces by removing created database copies and runtime files, enhancing its anti-forensic profile.
Finally, self-deletion is achieved through a batch script “util.bat,” which uses commands like “timeout /t 1 /nobreak >nul” and “del /f /q” to erase the executable itself after a delay, leaving minimal footprints.
This in-depth examination, blending Hybrid Analysis’s behavioral indicators with static and dynamic disassembly, underscores SHUYAL’s role as a versatile infostealer.
It not only grabs credentials but also conducts system reconnaissance, evades detection, and exfiltrates data stealthily, posing significant risks to users across diverse browser ecosystems.
Security teams are advised to monitor for these patterns, leveraging vetted access to Hybrid Analysis for sample downloads and further reverse engineering to develop robust defenses against such threats.
Indicators of Compromise (IOCs)
| Category | Indicator |
|---|---|
| SHA256 | 810d4850ee216df639648a37004a0d4d1275a194924fa53312d3403be97edf5c |
| Files Created | C:\Users<User>\AppData\Local\Temp\runtime\browser\debug_log.txt C:\Users<User>\AppData\Local\Temp\runtime\browser\tokens.txt C:\Users<User>\AppData\Local\Temp\runtime\clipboard\clipboard.txt C:\Users<User>\AppData\Local\Temp\runtime\history\history.txt C:\Users<User>\AppData\Local\Temp\runtime\passwords\saved_passwords.txt C:\Users<User>\AppData\Local\Temp\runtime\pic\ss.png C:\Users<User>\AppData\Local\Temp\runtime.zip util.bat |
| Processes Spawned | wmic diskdrive get model,serialnumber wmic path Win32_Keyboard get Description,DeviceID wmic path Win32_PointingDevice get Description,PNPDeviceID wmic path Win32_DesktopMonitor get Description,PNPDeviceID wmic get name powershell -command “(Get-ItemProperty ‘HKCU:\Control Panel\Desktop’).Wallpaper” powershell -Command “Compress-Archive -Path ‘C:\Users<User>\AppData\Local\Temp\runtime*’ -DestinationPath ‘C:\Users<User>\AppData\Local\Temp\runtime.zip’ -Force |
| Telegram Bot | hxxps[:]//api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864 |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Post Comment