Raven Stealer Targets Google Chrome Users to Exfiltrate Sensitive Data

Raven Stealer, a sophisticated information-stealing malware that has been wreaking havoc on users’ sensitive data.

This contemporary malware represents a concerning evolution in credential theft technology, combining advanced evasion techniques with streamlined data exfiltration capabilities.

Raven Stealer stands out as a lightweight yet highly effective information-stealing malware developed primarily in Delphi and C++.

Cybersecurity researchers have identified a significant threat targeting Google Chrome and other Chromium-based browsers.

Designed for stealth and efficiency, this malicious software operates with minimal user interaction while maintaining exceptional operational concealment capabilities.

The malware specifically targets Chromium-based browsers including Chrome, Edge, and Brave, systematically harvesting passwords, cookies, payment data, and autofill entries from infected systems.

The malware’s sophisticated approach involves accessing local storage paths and credential vaults within these browsers, enabling attackers to steal login credentials for potential account compromise and data exfiltration.

What makes Raven Stealer particularly dangerous is its ability to decrypt sensitive browser data by accessing AES encryption keys stored in browsers’ Local State files, converting encrypted credentials into plain text format for easy theft.

Four main stages of malware analysis: static properties analysis, interactive behavior analysis, fully automated analysis, and manual code reversing 

Raven Stealer employs advanced technical capabilities that set it apart from conventional malware.

The malware utilizes a modular design with a built-in resource editor, allowing attackers to embed configuration details such as Telegram bot tokens directly into the payload.

This streamlined approach makes deployment accessible even to low-skilled threat actors, expanding its potential reach significantly.

The integration of Telegram for command-and-control (C2)-like operations, combined with a streamlined user interface.

Distribution typically occurs through underground forums and bundled with cracked software, making it a persistent threat to both personal and enterprise environments.

The malware is actively promoted via dedicated Telegram channels, where cybercriminals can access builder tools and support resources.

This commercialization of malware tools demonstrates the evolving landscape of cybercrime, where sophisticated attacks become increasingly accessible.

The malware’s execution strategy involves embedded resources stored in the .rsrc section, a common Delphi practice for bundling external modules.

These resources are extracted and loaded into memory during execution, allowing the malware to operate without dropping files to disk, significantly enhancing its stealth capabilities and evasion potential.

Data Exfiltration and Communication

One of Raven Stealer’s most concerning features is its real-time data exfiltration capability through Telegram bot integration.

The malware consolidates stolen credentials and system information within a structured folder hierarchy under %Local%\RavenStealer, organizing collected data for efficient transmission to attackers.

The malware embeds sensitive Telegram credentials,specifical the Chat_ID and Bot_Token as plain text within its resource section, using resource IDs 102 and 103 respectively.

New backdoor malware uses the Telegram Bot API for remote control, discovered by Netskope Threat Labs researchers 

The stolen data includes various types of sensitive information systematically organized into separate files.

Browser cookies are aggregated from multiple Chromium-based browsers and stored in cookies.txt files, enabling session hijacking and user impersonation.

Decrypted credentials including usernames and passwords are compiled in passwords.txt files, facilitating unauthorized account access across multiple platforms.

Perhaps most concerning, stored credit and debit card details along with billing information are extracted from browsers and saved in payment.txt files, creating opportunities for financial fraud and identity theft.

The malware also captures screenshots of victims’ desktops and compresses all collected artifacts into ZIP archives for transmission.

These files are then sent to attackers via Telegram using the API endpoint, providing cybercriminals with comprehensive access to victims’ digital lives and financial information.

Raven Stealer demonstrates sophisticated evasion capabilities through its implementation of encrypted payload injection and process hollowing techniques.

The malware embeds its main DLL payload using ChaCha20 encryption, keeping it hidden within its own binary while avoiding detection by traditional security measures.

During execution, the malware employs reflective process hollowing by launching new Chromium browser instances in suspended states and injecting decrypted DLLs into these legitimate processes.

This technique allows the malware to execute under trusted software identity, effectively bypassing behavioral and signature-based detection systems that rely on process reputation and known malicious signatures.

The in-memory execution approach ensures that malicious code never touches the disk in its decrypted form, making forensic analysis and detection significantly more challenging for security professionals and automated systems alike.

Mitigations

Organizations and individual users can implement several defensive measures to protect against Raven Stealer and similar threats.

Behavioral-based threat detection systems prove most effective against this type of malware, as they can identify suspicious activities regardless of the malware’s evasion techniques.

Regular monitoring of Telegram traffic can help detect potential data exfiltration attempts, particularly in enterprise environments.

User education remains crucial in preventing initial infections, as the malware often spreads through phishing tactics and malicious software downloads.

Organizations should implement comprehensive security awareness programs focusing on the risks of downloading cracked software and clicking suspicious links or attachments.

Technical defenses should include updated antivirus solutions with real-time protection enabled, preferably those utilizing advanced behavioral analysis capabilities.

Regular system performance monitoring through Task Manager can help identify unusual processes or resource consumption patterns that might indicate malware presence. Most importantly, consistent software patching helps close vulnerabilities that malware might exploit for initial system access.

The emergence of Raven Stealer represents a significant evolution in information-stealing malware, combining sophisticated technical capabilities with user-friendly deployment tools that democratize advanced cyberattacks.

As this threat continues to evolve, both individual users and organizations must remain vigilant and implement comprehensive security measures to protect sensitive data from these increasingly sophisticated threats.

Indicators of Compromise

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.