A Potent & Flexible Malware Threat.

The cybersecurity landscape continues to evolve with malicious actors employing increasingly sophisticated tools. One such emerging threat is Raven Stealer, a malicious malware sample used primarily to steal sensitive data from compromised systems.

A new  report by Cyfirma unpacks the workings of Raven Stealer, revealing its operation methods, command-and-control infrastructure, and its utilisation of Telegram for data exfiltration.

The analysis highlights the significance of this malware in the current threat environment and offers insights into its detection and mitigation.

Raven Stealer is a relatively new form of malware classified as a 'stealer' - malware designed to extract valuable information such as credentials, cookies, autofill data, and other sensitive information from infected devices. The malware is typically distributed via malicious email campaigns or compromised websites.

Once executed, it establishes persistence on the infected system, enabling continuous data collection. Its modular architecture allows for various functionalities, making it adaptable and capable of bypassing traditional security measures.

Distribution & Infection Vector

The primary distribution method for Raven Stealer appears to be phishing emails containing malicious attachments or links directing users to compromised sites hosting the malware. Cybercriminals often impersonate legitimate organisations or individuals to deceive targets. Once the user interacts with the malicious payload (often a disguised executable or script), the malware gains a foothold within the system. Its ability to evade detection is aided by custom packing and obfuscation techniques, complicating static analysis for security teams.

Data Collection Capabilities

Raven Stealer's core function is data exfiltration. It targets various artefacts stored within the browser, such as saved passwords, Autofill data, cookies, and browsing history. Additionally, it can harvest cryptocurrency wallets, Discord tokens, and other application credentials. The malware employs local modules to locate and extract this information efficiently. It then prepares the data for transmission to the command-and-control (C2) server, in this case, a Telegram bot.

Use of Telegram For Exfiltration

A notable feature of Raven Stealer is its utilisation of Telegram, a popular messaging platform, for covert data exfiltration. Instead of traditional C2 servers, Raven Stealer communicates with a Telegram bot to send stolen data. This approach offers multiple advantages to cybercriminals: Telegram’s encryption and widespread usage make detection more challenging, as traffic may be mistaken for ordinary messaging. The malware constructs specially formatted messages containing the stolen data and transmits them via the Telegram Bot API, which requires minimal configuration and is resilient against typical network security controls.

Operational Workflow

The malware’s operation can be summarised in several stages:

1. Infection & Persistence:The malware infects the target system, establishing persistence using registry modifications or scheduled tasks.

2. Data Collection: Once active, it scans the system for targeted artefacts, extracting sensitive information.

3. Data Packaging & Transmission: The stolen data is compiled into structured messages and sent to the attacker’s Telegram bot.

4. Command & Control: The attacker monitors the Telegram bot for incoming data, often also using it to send commands or updates to the malware.

This workflow enables real-time control and data exfiltration, making Raven Stealer a potent and flexible threat.

Indicators of Compromise & Detection

Detection of Raven Stealer can be challenging due to its use of obfuscation and legitimate messaging platforms. However, cybersecurity teams can look for indicators such as unusual network traffic to Telegram servers, suspicious processes, or modifications in system registry entries. File integrity monitoring and heuristic analysis can assist in identifying suspicious activity. Behavioural detection focusing on data access patterns typical of credential theft also proves valuable.

Mitigation & Recommendations

To defend against Raven Stealer, organisations should implement layered security measures. These include endpoint detection and response (EDR) tools, network monitoring for unusual traffic, and strict access controls. User awareness training is critical to prevent phishing infections. Regular updates and patches minimise vulnerabilities exploited by malware. Additionally, monitoring for known indicators associated with Raven Stealer’s activity can facilitate early detection.

Raven Stealer exemplifies the evolving tactics of cybercriminals, leveraging legitimate platforms such as Telegram for covert operations. Its modular design and adaptable communication methods make it a formidable threat.

Organisations must maintain vigilance through advanced detection strategies, employee education, and proactive security practices. The report underscores the importance of continuous monitoring and analysis to stay ahead of such hybrid threats in the cybersecurity landscape.

Cyfirma 

Image: Ideogram

You Might Also Read:

GitHub Exploited In Sophisticated Malware Campaign:


If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Technical Issues Plague ChatGPT-5
The Quantum Computing Race Intensifies »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CERT.AZ

CERT.AZ

The national Cyber Security Center of the Republic of Azerbaijan.

Commissum

Commissum

Commissum specialise in information assurance and security testing services.

Silent Breach

Silent Breach

Silent Breach specializes in network security and digital asset protection. Services include Pentesting, Security Assessments, Incident Detection & Response, Governance Risk & Compliance.

HvS Consulting

HvS Consulting

HvS Consulting is a specialist information security company offering a full range of services including IT security architecture, ISO 27001 audits, Pentesting, Security monitoring and Training.

QOMPLX

QOMPLX

QOMPLX integrate, contextualize, and analyze data from virtually any source to help you identify operational risk and inefficiencies throughout the enterprise.

CETIC

CETIC

CETIC is an applied research centre in the field of ICT. Key technologies include Big Data, Cloud Computing, the Internet of Things, software quality, and trust and security of IT systems.

BetaDen

BetaDen

BetaDen provides a revolutionary platform for businesses to develop next-generation technology, such as the internet of things and industry 4.0.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

AdvIntel

AdvIntel

AdvIntel is a next-generation threat prevention and loss prevention company launched by a team of certified investigators, reverse engineers, and security experts.

Avetta

Avetta

Avetta One is the industry’s largest Supply Chain Risk Management (SCRM) platform. It enables clients to manage supply chain risks and suppliers to prove the value of their business.

Sirti

Sirti

Sirti is Italy's leading technology company in the design and production of network infrastructures and telecoms system integration.

Olympix

Olympix

Dev-first Web3 security that starts at the source. Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.

Actelis Networks

Actelis Networks

Actelis Networks is a market leader in cyber-hardened, rapid deployment networking solutions for wide-area IoT applications.

Tenchi Security

Tenchi Security

Tenchi Security are specialized in Third-Party Cyber Risk Management (TPCRM) and aim to reduce information asymmetry when it comes to third and Nth-Party security and compliance risk management.

TDi Technologies

TDi Technologies

TDI Technologies' flagship solution ConsoleWorks, is an IT/OT cybersecurity and operations platform for Privileged Access Users.

Mart Networks

Mart Networks

Mart Networks is one of Africa’s Pioneers when it comes to Value Added Technology Distribution.