A recently discovered Python-based infostealer called “Inf0s3c” was detailed by Cyfirma researchers in a report published Friday.The stealer utilizes several methods for evasion, abuses imported Windows API functions and targets a wide range of data types, including credentials, cookies, Wi-Fi passwords, browsing history, gaming account info, webcam images and screenshots.Inf0s3c stealer is a 64-bit portable executable (PE) file that is compressed using the UPX algorithm and further packed with PyInstaller, reducing its size and obscuring its contents.After unpacking, the malware imports a large set of Windows API functions that enable file manipulation, process management, environment control, memory handling and other interactions with the host system, according to Cyfirma. A component called Build.exe performs the main infostealing functions and creates a directory in %temp% to store retrieved data. The data it collects includes basic system details, IP information, passwords and Wi-Fi passwords, cookies, browsing history, autofill data, cryptocurrency wallets, screenshots, webcam images, Telegram sessions and Discord accounts.It also targets information related to gaming accounts including Roblox, Minecraft, Epic, Steam, Uplay and Growtopia sessions. The stolen info is compiled into a password-protected RAR archive and exfiltrated to the attacker’s Discord account.Inf0s3c stealer maintains persistence by copying its executable to the Windows Startup folder. It evades detection and analysis by various means, including through virtual machine (VM) checks, blocking of antivirus-related sites, “melting” (self-deletion) after execution and unpacking and decoding of the Base64-encoded Python code only at runtime, Cyfirma described.The Inf0s3c builder also offers a “pump stub” feature to artificially inflate file size, making it more difficult for security scanners to efficiently analyze the file.The discovery of the Inf0s3c builder revealed similarities to other publicly available grabbers, including “Blank Grabber” and “Umbral-Stealer,” which share a developer, which suggested Inf0s3c stealer may come from the same developer or leverage the publicly available code in its design.Cyfirma said its analysis of the recently discovered stealer demonstrated how stealthy and sophisticated malware capable of harvesting a wide range of data in an automated fashion is readily available for cybercriminals. This emphasized the importance of robust defenses including behavior-based detection, monitoring networks for strange connections to services such as Discord and flagging of unusual command executions.
Data Security, Malware, Threat Intelligence, Exposure management
Python-based infostealer ‘Inf0s3c’ combines stealth with broad data theft

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



