Agniane Stealer: Dark Web’s Crypto Threat

Introduction

The Zscaler ThreatLabz team recently discovered a new information stealer family: Agniane Stealer. This malware steals credentials, system information, and session details from browsers, tokens, and file transferring tools. Agniane Stealer also heavily targets cryptocurrency extensions and wallets. Once it obtains the sensitive data, Agniane Stealer transfers that stolen data to command-and-control [C&C] servers, where threat actors can act upon the stolen information.

We believe Agniane Stealer belongs to the Malware-as-a-Service (MaaS) platform Cinoshi Project, which was discovered in early 2023, and much of its code infrastructure is modeled after the platform. Its close relationship to Cinoshi Project means Agniane Stealer has been available for sale on several dark web forums. The threat actors responsible for Agniane Stealer utilize packers to maintain and regularly update the malware’s functionality and evasions features.

In this technical blog post, we cover:

Key Takeaways
Agniane Stealer Promoted on Telegram
Relationship to Cinoshi Project
Agniane Stealer User Interface
Technical Analysis
Stealer Capabilities
C&C Communication
Conclusion
Zscaler Coverage
Indicators of Compromise (IOCs)
Crypto Extensions & Wallets

Key Takeaways

Stealing Capabilities: Agniane Stealer is an information stealer that takes stored credentials from web browsers, Telegram sessions, Discord tokens, Steam, WinSCP, and Filezilla sessions. In addition, It saves a screenshot of the user’s desktop, quickly collecting OpenVPN profiles and system information.
Crypto Hungry: Agniane Stealer is a prolific cryptocurrency data exfiltrator with extensive support for nearly 70+ crypto extensions and 10+ crypto wallets.
Evasion Techniques: Agniane Stealer implements numerous methods to detect anti-analysis software like malware sandboxes, emulators, VirtualBox, and other analysis tools.
Availability: Agniane Stealer is part of Cinoshi Project - a MaaS that offers services and subscriptions on the dark web.

Agniane Stealer Promoted on Telegram

During our investigation, we found a Telegram channel promoting and selling Agniane Stealer. The Telegram channel owner posts consistently about feature lists, updates, and pricing. We speculate the owner of the Telegram channel is the malware author.

The following Agniane Stealer feature list was found on the Telegram channel:

“The stealer is written in C# It loads the libraries used; build weight is 419 KB.
Perfectly crypted by mass-crypters, such as EasyCrypter, exe2pack, PackLab and others.
Supports stealing passwords and cookies from browsers based on Chromium and Gecko.
Support for more than 70+ crypto extensions from browsers, as well as more than 10+ crypto wallets.
Collection of Telegram sessions, Discord tokens, Steam sessions, Winscp and Filezilla sessions.
Saving screenshots from all monitors with detailed information about them.
Collection of all information about the victim's computer.
Convenient filter for domains that are important to you; search in passwords and cookies of your domains and record the result.
Collection of all possible OpenVPN profiles.
Collecting a list of all installed applications on the computer.
The ability to prohibit the launch of the build on virtual computers, emulators (configurable on the panel).
Protection of your build from running on Virustotal, AnyRun and similar servers (configurable on the panel).
Protection against repeated logs, as well as protection against empty logs (configurable on the panel).
Collection of files from the user's desktop and documents (file extensions are configured on the panel).
Log collection is carried out in memory, without using a disk to store materials from the log”

The following information regarding price was also found:

“