- Table of contents
Coral TayarShare on LinkedIn
Security Researcher at Cyberint
Table of contents
The New InfoStealer in Town: The Continental Stealer
In the last several days, a new info stealer known as the “Continental stealer” has gained traction in dark web forums. This stealer has the potential to become one of the more powerful participants in the InfoStealer industry, thanks to its simple and easy-to-use architecture. In this report, we will review the stealer infrastructure, features, and functionality.
The Continental Stealer
The Continental Stealer made its initial appearance on October 4th, 2023, and its owner has actively promoted it within dark web forums in recent days. The stealer’s developer maintains a dedicated Telegram channel for disseminating announcements and provides a support contact for direct communication.
While the initial announcement occurred on October 4th, comprehensive information and guidance were released on October 16. Cyberint, in its investigation, identified the earliest references to this threat on the dark web dating back to early November, suggesting that the threat actor has now initiated significant dissemination efforts. Cyberint’s analysis points to a probable Russian origin or motivation behind the threat actor, a subject we will elaborate on later in this report.
The Continental Stealer offers subscription options at $120 for one month, $330 for three months, and $540 for a lifetime subscription.
The stealer’s developer has also published a sample of the log files, which closely aligns with the structure of other well-known stealer families.
Functional Capabilities of The Continental Stealer
The Continental Stealer positions itself as a user-friendly Malware-as-a-Service (MAAS) suitable for individuals with varying levels of experience. Its control panel is designed for ease of use and features a web builder.
It boasts compatibility with systems ranging from Windows 7 (x32) to Windows 11 (x64) and supports both ARM and x86-x64 system architectures. Decryption of data is carried out server-side to ensure that all information collected by the stealer remains encrypted until reaching the server. Additionally, the stealer offers a Telegram bot notification feature that informs users when new logs are received.
As stated by the owner, the Continental Stealer is capable of extracting various system information, including Usernames, Computer Names, IP Addresses, Screen Sizes, CPU and GPU details, RAM, Disk information, and installed applications. Furthermore, it includes a file grabber feature and can extract data from a range of browsers, messaging and email applications, wallets, and additional software.
Panel and Infrastructure of The Continental Stealer
The Continental Stealer’s user interface is designed to be user-friendly, offering a login panel and an operational dashboard displaying statistics on logs, passwords, cryptocurrency wallets, and credit card information. This dashboard not only provides crucial insights but also facilitates log downloads.
Additionally, the panel includes a builder, eliminating the need for external tools. While the builder is integrated into the MAAS, users are required to specify the Command and Control (C2) server IP, responsible for sending commands to the malware and receiving stolen data. The builder offers customization options such as:
- Enable AntiVM: If activated, this feature allows the stealer to elude detection and analysis when operating within virtual machines (VMs). This significantly heightens the challenge for antivirus software to identify and reverse-engineer the malware.
- Self-destruct after execution: This functionality triggers the malware to remove itself after execution, adding complexity to the task of security researchers analyzing the malware and antivirus software detecting and eradicating it.
- AntiRepeat: By selecting this feature, the malware is programmed to prevent recurring launches, minimizing the risk of easier detection and analysis when the malware repeats its behavior.
- Execution CIS: Users can decide whether the stealer will operate in Commonwealth of Independent States (CIS) countries. The CIS is a political and economic union comprising 11 former Soviet republics established after the dissolution of the Soviet Union. Some threat actors of Russian origin may employ this feature to avoid targeting these states and to evade potential law enforcement attention. The inclusion of this feature in the stealer builder suggests a potential connection to Russian interests or motivations.
The panel also features a Cookie Converter, providing users with the capability to transform cookies into Netscape format. This conversion procedure entails uploading the cookie file in Netscape format to the converter tool, which subsequently converts the file into JSON format. This functionality facilitates the transfer of cookie data across various web platforms or programming languages that employ distinct cookie formats, thereby enhancing the attacker’s flexibility in handling such data.
Furthermore, users can modify the stealer’s extension and select their preferred .NET framework.
Summary and Impacts
The emergence of the “Continental Stealer” in recent days highlights the dynamic and ever-evolving landscape of information stealers, where new entrants continuously surface. This stealer exemplifies the broad reach and accessibility that information stealers offer, with a straightforward and user-friendly architecture that accommodates threat actors of varying skill levels. This user-friendliness is a significant strength that could attract individuals who may lack the expertise to operate complex information stealers, potentially expanding the community of information stealer operators.
Cyberint and the Dark Web
Cyberint excels in accessing high-tier sources that remain elusive to most companies. Our unique ability to penetrate these hidden corners enables us to collect and analyze invaluable data. We enrich our automated collection with a human approach, through research and analysis of our military-grade expert team.
Find new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile and difficult to track. Get deep analysis and reports, that allow you to understand a specific threat actor and group profiling, including the places of operation, targeted countries or verticals, TTPs and more. Get a demo and see what assets you have exposed on the deep & dark web.
Uncover your compromised credentials from the deep and dark web.
Fill in your business email to start.