A new player has emerged in the realm of cyberspace, demonstrating a cunning ability to conceal its operations reminiscent of the infamous Hannibal Lecter. Researchers recently identified a new strain of malicious software dubbed Hannibal Stealer. This sophisticated malware is a modular .NET infostealer designed for the extensive extraction of sensitive information while employing various stealth techniques.
What sets Hannibal Stealer apart is not only its data theft capabilities but also its advanced methods of evading detection systems. By using DLL-injections, dynamic component loading, and payload encryption, this malware poses a significant challenge to analysts and antivirus software.
Hannibal Stealer primarily targets data stored in browsers running on the Chromium and Gekko engines, which includes popular browsers such as Chrome, Edge, and Firefox. It steals cookies, autofill data, and saved passwords, all while masquerading as legitimate browser components to avoid detection.
An analysis of Hannibal Stealer revealed its integration with Windows system libraries for various functions, such as decryption, network intelligence, and memory operations. These actions indicate the malware’s intent to infiltrate processes, manipulate memory, and cover its tracks effectively.
The malware employs AES-GCM encryption through the Windows Cryptography API for its payload encryption, ensuring that the malicious code remains concealed until execution. This obfuscation technique complicates the analysis process and enhances the malware’s stealth capabilities.
Aside from targeting cryptocurrency wallets, including Bitcoin Core, Ethereum, and Atomic Wallet, Hannibal Stealer also seeks out VPN configurations, FTP client logins, and collects MAC addresses and IP gateways. This information could potentially be exploited for tracking or limiting the malware’s operations in specific regions.
Additionally, Hannibal Stealer has a built-in geofencing mechanism that ceases its activities if it detects a launch in Commonwealth of Independent States (CIS) countries. This feature is a common tactic utilized by malware developers to evade detection by local law enforcement agencies.