Anatomy of Celestial Stealer: Malware-as-a-Service Revealed

    Wednesday, December 11, 2024 In: Threat Research Print

    Date: 12/11/2024

    Severity: High 

    Summary

    During proactive threat hunting, Trellix Advanced Research Center identified samples of Celestial Stealer, a JavaScript-based infostealer packaged as either an Electron application or a Node.js single application for Windows 10 and 11. Offered as Malware-as-a-Service (MaaS) on Telegram, it allows users to purchase subscriptions—weekly, monthly, or lifetime—for access to its malicious features. The stealer targets Chromium and Gecko-based browsers, as well as applications like Steam, Telegram, and cryptocurrency wallets such as Atomic and Exodus. 

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    https://admin.celestial-stealer.dev/api

    https://capguru-solver.com/index.js

    https://publicimgura.discloud.app/ex

    https://publicimgura.discloud.app/dc

    https://zerostone.discloud.app/dc-account

    https://zerostone.discloud.app/pc-data

    http://92.246.138.20:80/storage

    http://counters-strike2.org/log

    https://gonnacrack.discloud.app/dc

    https://unity-api.net/log

    https://nodeupdater.discloud.app/dc

    https://nodeupdater.discloud.app/ex

    https://now-here.fun/log

    https://nodeupdater.discloud.app/Node

    https://prnt-screen.com/log

    https://api-unreal.com/add_log

    https://spinit.discloud.app/dc

    https://python-developers.net/ex

    https://python-developers.net/shine

    https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=password

    https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=disabled

    https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=email 

    https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=2fa

    https://cdn.discordapp.com/attachments/1257095872119050412/1289229793019035658/VRChatERPSetup.zip?ex=66f8104f&is=66f6becf&hm=c7644bcbfb336dbd7ba6cc1d23799884d6063563c8258f08f5ee0079f3fdf798&

    https://discord.com/api/webhooks/1267588512384028843/8bzuUVUhTxXp8hSBex1Z95f9rZZ64n0WrVUDE7VgP4dc8Sm5KeXHEzfUOMfxDyssnBJf

    https://discord.com/api/webhooks/1267991686005391400/X3rWp82Sxtdr4bpPKg9cMFPcDSicZSXNNfdw0AFMVLqnBQj91wWACYQ0XtSDrTPK7xwI?wait=true

    https://api.telegram.org/bot6311499435:AAFQP3ud184cvNT7X2gfjaZnyazkEfzK7y8/sendDocument

    https://canary.discord.com/api/webhooks/1246331548886896731/WETNV8O_QTDHjBkeEYLFUwKBhdV5khOWNPotV1JejTwtkEuQ2jON9icniw6QlxlLE73n?wait=true

    Hash : 

    04debe522bc88e152d840a727bb0c6516994896d5bd74e3a48c89e2ef4c8e730

a8a302a3299a778cdf5cacbc54057d681798baf4899c26427599a37ee681e857

f31bbd1a2a16bcdd990e6332a41c9b473d0437b669a04678e4d0ef06d5dab781

6802c39e0be7b82eaa25b98b061e324e812281f4fdd6a7ff05dcd9370ceb886e

ac16f44c05bb5e800f1cbd66a1256e717652f2244c99074300d8f64bec2503f5

bc609bdadaf2beb8e4a0fd8aad10145f2d31bc27a8f70e40187e4f58f7e152a0

26f89cee38263c449c8e154c8b35768593e8171c30dd638328c16294ac36f18d

52180322da77c5fd2ecf33b692dee89c3d9391ddb15b40ec93b94db9f26833ed

c65dd9691bbc93805ac6a1c755000075546843293f5695cf8f8719e0563db3d0

61c0610c84a0c75aee1f5d97d24cce2995834f177aa423f9509554017bec3cee

e8284902c9d1c3d28ebfda230acc509ef5be47786590d3d647818d205a4a78f9

c78fb7d3eda7014a84ee4618b3e28b1f5551f8e487b29a7179aebb219eeb0877

19251875426af36307335bdeaeb770079f6ebfb095aec6f70eebb2145559ac0f

5c97a829fecf7a0aa989b976bfe37759a2ad65ebbcacad39a2876955b16c2ad8

1b3526c18894b0b120dc5cfd691da7aaba6e6db94dbe99d3d2d6da41e7bb4eab

13f8ad68dce69c845801ea016feb4644c771b5193971cf631af07fb3a816ca02

5fc66fa832517bae0ee3306def7ad55081a409d380d72f1c6c36362a9cbbc3be

c70601eda62ac6a9b9135f9273299f90b443d8d11dfcfec4f836fb9da07a9dfa

74c28e5c79639e2e653c8e18e64e488fec3337f29be3a450b93d6a2559e4669b

5a6638f509e7b6dd1a8df35cc705531cd94f25e0346c13e54f4f8731f1c3651a

3c3c144a31c283e5e3296967515af01b0dd99954b0ed4124041cfdd8a8c90978

d4f3fc469e10c9a2fec6f266285556a21a84e39ff76488d3f502545dcd316d5a

2992586924a5cf67f918b38339d74df62ea5dcd90a38d78110a7aa4f9c974548

0b44254d019ccc1cc197741396c4cb70e2e3e9f6a7139cb661f8b98adcbf7a60

cd5c8dea6e20e80bee93d3e3fc3e1a841fdbad316b444c8e79cced619d6d1e5b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 :

    userdomainname like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=email" or url like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=email" or userdomainname like "https://zerostone.discloud.app/dc-account" or url like "https://zerostone.discloud.app/dc-account" or userdomainname like "https://cdn.discordapp.com/attachments/1257095872119050412/1289229793019035658/VRChatERPSetup.zip?ex=66f8104f&is=66f6becf&hm=c7644bcbfb336dbd7ba6cc1d23799884d6063563c8258f08f5ee0079f3fdf798&" or url like "https://cdn.discordapp.com/attachments/1257095872119050412/1289229793019035658/VRChatERPSetup.zip?ex=66f8104f&is=66f6becf&hm=c7644bcbfb336dbd7ba6cc1d23799884d6063563c8258f08f5ee0079f3fdf798&" or userdomainname like "https://api.telegram.org/bot6311499435:AAFQP3ud184cvNT7X2gfjaZnyazkEfzK7y8/sendDocument" or url like "https://api.telegram.org/bot6311499435:AAFQP3ud184cvNT7X2gfjaZnyazkEfzK7y8/sendDocument" or userdomainname like "https://canary.discord.com/api/webhooks/1246331548886896731/WETNV8O_QTDHjBkeEYLFUwKBhdV5khOWNPotV1JejTwtkEuQ2jON9icniw6QlxlLE73n?wait=true" or url like "https://canary.discord.com/api/webhooks/1246331548886896731/WETNV8O_QTDHjBkeEYLFUwKBhdV5khOWNPotV1JejTwtkEuQ2jON9icniw6QlxlLE73n?wait=true" or userdomainname like "https://zerostone.discloud.app/pc-data" or url like "https://zerostone.discloud.app/pc-data" or userdomainname like "https://prnt-screen.com/log" or url like "https://prnt-screen.com/log" or userdomainname like "https://python-developers.net/ex" or url like "https://python-developers.net/ex" or userdomainname like "https://publicimgura.discloud.app/dc" or url like "https://publicimgura.discloud.app/dc" or userdomainname like "https://capguru-solver.com/index.js" or url like "https://capguru-solver.com/index.js" or userdomainname like "https://api-unreal.com/add_log" or url like "https://api-unreal.com/add_log" or userdomainname like "https://nodeupdater.discloud.app/ex" or url like "https://nodeupdater.discloud.app/ex" or userdomainname like "https://now-here.fun/log" or url like "https://now-here.fun/log" or userdomainname like "https://spinit.discloud.app/dc" or url like "https://spinit.discloud.app/dc" or userdomainname like "https://admin.celestial-stealer.dev/api" or url like "https://admin.celestial-stealer.dev/api" or userdomainname like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=disabled" or url like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=disabled" or userdomainname like "https://nodeupdater.discloud.app/dc" or url like "https://nodeupdater.discloud.app/dc" or userdomainname like "https://unity-api.net/log" or url like "https://unity-api.net/log"

    Domains\Urls 2 :

    userdomainname like "https://publicimgura.discloud.app/ex" or url like "https://publicimgura.discloud.app/ex" or userdomainname like "http://92.246.138.20/storage" or url like "http://92.246.138.20/storage" or userdomainname like "http://counters-strike2.org/log" or url like "http://counters-strike2.org/log" or userdomainname like "https://gonnacrack.discloud.app/dc" or url like "https://gonnacrack.discloud.app/dc" or userdomainname like "https://nodeupdater.discloud.app/Node" or url like "https://nodeupdater.discloud.app/Node" or userdomainname like "https://python-developers.net/shine" or url like "https://python-developers.net/shine" or userdomainname like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=password" or url like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=password" or userdomainname like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=2fa" or url like "https://python-developers.net/dc?celestial_customerId=1680726574&discord_warn=2fa" or userdomainname like "https://discord.com/api/webhooks/1267588512384028843/8bzuUVUhTxXp8hSBex1Z95f9rZZ64n0WrVUDE7VgP4dc8Sm5KeXHEzfUOMfxDyssnBJf" or url like "https://discord.com/api/webhooks/1267588512384028843/8bzuUVUhTxXp8hSBex1Z95f9rZZ64n0WrVUDE7VgP4dc8Sm5KeXHEzfUOMfxDyssnBJf" or userdomainname like "https://discord.com/api/webhooks/1267991686005391400/X3rWp82Sxtdr4bpPKg9cMFPcDSicZSXNNfdw0AFMVLqnBQj91wWACYQ0XtSDrTPK7xwI?wait=true" or url like "https://discord.com/api/webhooks/1267991686005391400/X3rWp82Sxtdr4bpPKg9cMFPcDSicZSXNNfdw0AFMVLqnBQj91wWACYQ0XtSDrTPK7xwI?wait=true"

    Hash : 

    sha256hash IN ("0b44254d019ccc1cc197741396c4cb70e2e3e9f6a7139cb661f8b98adcbf7a60","5c97a829fecf7a0aa989b976bfe37759a2ad65ebbcacad39a2876955b16c2ad8","1b3526c18894b0b120dc5cfd691da7aaba6e6db94dbe99d3d2d6da41e7bb4eab","a8a302a3299a778cdf5cacbc54057d681798baf4899c26427599a37ee681e857","19251875426af36307335bdeaeb770079f6ebfb095aec6f70eebb2145559ac0f","04debe522bc88e152d840a727bb0c6516994896d5bd74e3a48c89e2ef4c8e730","bc609bdadaf2beb8e4a0fd8aad10145f2d31bc27a8f70e40187e4f58f7e152a0","c65dd9691bbc93805ac6a1c755000075546843293f5695cf8f8719e0563db3d0","74c28e5c79639e2e653c8e18e64e488fec3337f29be3a450b93d6a2559e4669b","c78fb7d3eda7014a84ee4618b3e28b1f5551f8e487b29a7179aebb219eeb0877","cd5c8dea6e20e80bee93d3e3fc3e1a841fdbad316b444c8e79cced619d6d1e5b","c70601eda62ac6a9b9135f9273299f90b443d8d11dfcfec4f836fb9da07a9dfa","f31bbd1a2a16bcdd990e6332a41c9b473d0437b669a04678e4d0ef06d5dab781","26f89cee38263c449c8e154c8b35768593e8171c30dd638328c16294ac36f18d","6802c39e0be7b82eaa25b98b061e324e812281f4fdd6a7ff05dcd9370ceb886e","52180322da77c5fd2ecf33b692dee89c3d9391ddb15b40ec93b94db9f26833ed","ac16f44c05bb5e800f1cbd66a1256e717652f2244c99074300d8f64bec2503f5","61c0610c84a0c75aee1f5d97d24cce2995834f177aa423f9509554017bec3cee","e8284902c9d1c3d28ebfda230acc509ef5be47786590d3d647818d205a4a78f9","13f8ad68dce69c845801ea016feb4644c771b5193971cf631af07fb3a816ca02","5fc66fa832517bae0ee3306def7ad55081a409d380d72f1c6c36362a9cbbc3be","5a6638f509e7b6dd1a8df35cc705531cd94f25e0346c13e54f4f8731f1c3651a","3c3c144a31c283e5e3296967515af01b0dd99954b0ed4124041cfdd8a8c90978","d4f3fc469e10c9a2fec6f266285556a21a84e39ff76488d3f502545dcd316d5a","2992586924a5cf67f918b38339d74df62ea5dcd90a38d78110a7aa4f9c974548")

    Reference:   

    https://www.trellix.com/blogs/research/anatomy-of-celestial-stealer-malware-as-a-service-revealed/ 


    Tags

    MalwareMaaSCommunicationsInformation Technology

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.