TLDR:
- Hackers are selling the GlorySprout malware with anti-VM features on an underground forum for $300.
- The malware includes a loader, anti-CIS execution, and a non-functional grabber module.
Hackers have been advertising the GlorySprout stealer, a C++ stealer with unique features such as anti-VM functionalities and temporary payload encryption, on an underground forum for $300. The malware, which has similarities to other well-known stealers like Taurus Stealer, utilizes specific offsets to access hashed API values and implements anti-analysis techniques to evade detection. It creates persistence through a scheduled task and communicates with a C2 server to exfiltrate data, including browser history and wallets.
The technical analysis of GlorySprout revealed that it dynamically resolves APIs by hashing using various operations and utilizes a scheduled task for persistence. It communicates with a C2 server disguised as a browser and sends encrypted data back and forth. The malware differs from Taurus Stealer in various aspects, such as the absence of additional DLL downloads and anti-VM features, potentially affecting its popularity compared to other stealers.