Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Gremlin stealer has evolved from a basic credential harvester into a sophisticated, modular infostealer capable of active financial fraud and live session hijacking. Recent variants employ advanced anti-analysis techniques, including Themida packing, .NET resource section payload hiding with XOR encryption, and extensive code obfuscation, significantly complicating static detection efforts.
Authors: Unit 42
Source:
Palo Alto Networks
- ip194[.]87[.]92[.]109Gremlin stealer C2 and data exfiltration server.
- sha2561bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5Gremlin stealer sample
- sha2562172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9bGremlin stealer payload packed with Themida.
- sha256281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2Gremlin stealer sample
- sha256691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3Gremlin stealer sample
- sha256971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759Gremlin stealer sample
- sha2569aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614Gremlin stealer sample
- sha2569fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20Gremlin stealer sample
- sha256a9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abdGremlin stealer sample
- sha256ab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cdGremlin stealer sample
- sha256d11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02cGremlin stealer sample
- sha256f76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346Gremlin stealer sample
- urlhxxp://194[.]87[.]92[.]109/i[.]phpExfiltration endpoint for stolen data archives.
Detection / HunterGoogle
What Happened
Gremlin stealer is a malicious program that steals sensitive information like passwords, cookies, and cryptocurrency details from infected computers. Recently, its creators have upgraded it to be much stealthier, hiding its core functions to avoid detection by antivirus software. This matters because the new version can actively steal cryptocurrency by altering copied wallet addresses and can hijack active web sessions. Organizations should ensure their security software is updated to detect behavioral anomalies and block the known malicious web addresses associated with this threat.
Key Takeaways
- Gremlin stealer has evolved into a modular toolkit featuring Discord token extraction and active financial fraud via a crypto clipper.
- The malware employs advanced obfuscation, hiding its payload within the .NET Resource section using XOR encoding to evade static analysis.
- Recent variants utilize a commercial packing utility (Themida) and implement identifier renaming, string encryption, and control-flow obfuscation.
- A new WebSocket-based session hijacking module allows the stealer to bypass modern cookie protections by querying live browser processes.
Affected Systems
- Windows
- Chromium-based browsers
- Discord
- Cryptocurrency wallets
Attack Chain
Gremlin stealer executes on the victim's machine, utilizing a commercial packer (Themida) and control-flow obfuscation to evade initial detection. It dynamically decrypts and loads its core modules from the .NET resource section using a single-byte XOR key. Once active, the malware harvests browser cookies, Discord tokens, and monitors the clipboard to swap cryptocurrency wallet addresses. The stolen data is compressed into a ZIP archive named after the victim's IP address and exfiltrated to an attacker-controlled server or via the Telegram Bot API.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Medium — Heavy obfuscation and memory-only loading of modules bypass many static signatures, but behavioral actions like clipboard monitoring and browser process access are highly visible to EDR. Network Visibility: Medium — Exfiltration occurs over standard HTTP/HTTPS to dedicated IPs or abused legitimate APIs (Telegram), which can blend with normal traffic if not decrypted or specifically monitored. Detection Difficulty: Moderate — Static analysis is difficult due to Themida packing and XOR-encoded resources, requiring dynamic analysis or behavioral detection to identify the threat.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- File Creation (Sysmon 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unknown or untrusted processes frequently reading the system clipboard, which may indicate crypto clipper activity. | EDR API monitoring / OS API logs | Collection | Medium |
| Monitor for unusual processes accessing Chromium browser data directories or initiating WebSocket connections to local browser debugging ports. | File Access Logs / Network Connections | Credential Access | Low |
| Hunt for .NET executables making outbound network connections to the Telegram Bot API (api.telegram.org) without a legitimate business justification. | Network Connections / DNS Logs | Exfiltration | Medium |
Control Gaps
- Static AV signatures may fail to detect payloads hidden within XOR-encoded .NET resource sections.
Key Behavioral Indicators
- Processes rapidly accessing clipboard data
- Unexpected WebSocket connections to browser processes
- Creation of ZIP files named as IP addresses in temporary directories
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified C2 IP address and URL at the perimeter firewall or web proxy.
Infrastructure Hardening
- Evaluate implementing DNS filtering to block newly registered or untrusted domains.
- Consider restricting outbound access to the Telegram API if it is not required for business operations.
User Protection
- Ensure EDR solutions are configured to monitor for credential access behaviors, particularly targeting browser data stores.
- If supported by your EDR, consider enabling behavioral protections against clipboard hijacking.
Security Awareness
- Educate users on the risks of downloading unverified software, which is a common vector for infostealers.
MITRE ATT&CK Mapping
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing
- T1115 - Clipboard Data
- T1539 - Steal Web Session Cookie
- T1552.001 - Credentials In Files
- T1041 - Exfiltration Over C2 Channel
Additional IOCs
- File Hashes:
9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614(sha256) - Gremlin stealer sample971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759(sha256) - Gremlin stealer sampleab0fa760bd037a95c4dee431e649e0db860f7cdad6428895b9a399b6991bf3cd(sha256) - Gremlin stealer samplef76ba1a4650d8cafb6d3ff071688c5db6fd37e165050f03cece693826f51d346(sha256) - Gremlin stealer samplea9f529a5cbc1f3ee80f785b22e0c472953e6cb226952218aecc7ab07ca328abd(sha256) - Gremlin stealer sample691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3(sha256) - Gremlin stealer sample281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2(sha256) - Gremlin stealer sample9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20(sha256) - Gremlin stealer sampled11938f14499de03d6a02b5e158782afd903460576e9227e0a15d960a2e9c02c(sha256) - Gremlin stealer sample1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5(sha256) - Gremlin stealer sample