A new information-stealing malware has been discovered that is capable of exfiltrating a lot of sensitive information and also disabling antivirus programs to establish persistence on target endpoints.
Cybersecurity researchers from CYFIRMA have shared an in-depth analysis of the infostealer, which they call Yunit Stealer.
Yunit Stealer uses JavaScript to integrate system utilities and cryptographic modules, allowing it to perform tasks such as retrieving system information, executing commands, and HTTP requests. It remains persistent on the target device by modifying the registry, adding tasks via batch and VBScript, and finally by setting exclusions in Windows Defender.
Stealing passwords and credit card information
When it comes to its information stealing capabilities, Yunit is as powerful as any other malware. It can steal system information, as well as data stored in the browser (passwords, cookies, autofill information, etc.), as well as cryptocurrency wallet information. In addition to passwords, it can also store credit card information stored in the browser.
Once it has collected all the information it deems useful, the malware will attempt to exfiltrate it via Discord webhooks or to a Telegram channel. It will also upload it to a remote server and generate a download link for further access. The link will also come with screenshots, allowing the threat actor to retrieve the information while maintaining anonymity and evading detection. Accessing the data through encrypted communication channels also helps.
Reinforcing the idea that Yunit is an emerging infostealer that has yet to demonstrate its prowess, CYFIRMA highlighted that the Telegram channel was only established on August 31, 2024 and that it currently has 12 subscribers. Alternatively, the Discord account is currently inactive.