MicroStealer Analysis: A Fast-Spreading Infostealer with Limited Detection

Key Takeaways

• MicroStealer is a fast-spreading infostealer targeting browser credentials, active sessions, screenshots, and crypto wallets.
• It utilizes a complex, layered execution chain (NSIS → Electron → JAR) to evade static detection.
• Distribution heavily relies on compromised or impersonated accounts, often targeting the education and telecommunications sectors.
• Data exfiltration occurs via Discord webhooks and newly registered attacker-controlled servers.
• The malware employs anti-analysis techniques, including virtual machine detection and code obfuscation (LZ-String, ZKM).

Affected Systems

• Windows
• Chromium-based browsers
• Opera
• Opera GX
• Discord
• Steam
• Cryptocurrency wallets

Attack Chain

The attack begins when a victim downloads an NSIS installer (e.g., RocobeSetup.exe) from a malicious or compromised site. The installer extracts an Electron application (Game Launcher.exe) which prompts the user for administrative privileges via UAC. Once elevated, the Electron app extracts and executes a disguised Java Runtime Environment (miicrosoft.exe) to run the main obfuscated payload (soft.jar). The Java payload establishes persistence via a scheduled task, performs VM evasion checks, steals browser data, captures screenshots, and exfiltrates the archived data to Discord webhooks and attacker-controlled servers.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but relies on behavioral analysis and IOCs provided via the ANY.RUN platform.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs should catch the scheduled task creation, PowerShell execution for UAC bypass, and LSASS access attempts. However, the layered execution (NSIS -> Electron -> Java) and in-memory execution of JS from ASAR archives might obscure the initial stages. Network Visibility: High — Exfiltration to Discord webhooks and custom domains with a specific User-Agent ('MicroStealer/1.0') provides strong network-level detection opportunities. Detection Difficulty: Moderate — While the static signatures are easily evaded due to obfuscation and layered packaging, the behavioral footprint (schtasks, LSASS access, Discord webhook exfiltration) is noisy and detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Network Connections (Sysmon 3)
• Scheduled Task Creation (Event ID 4698)
• Process Access (Sysmon 10)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for scheduled tasks created with the name pattern 'App_<username>' executing a JAR file via a disguised Java executable (e.g., miicrosoft.exe).	Process Creation, Scheduled Task Creation	Persistence	Low
Search for network connections to discord.com/api/webhooks/ originating from non-browser processes, especially Java (javaw.exe or renamed variants).	Network Connections	Exfiltration	Low
Monitor for processes attempting to duplicate tokens from lsass.exe, especially when originating from Java or Electron-based applications.	Process Access (Sysmon 10)	Credential Access	Medium

Control Gaps

• Static AV signatures failing due to NSIS/Electron/Java layering and ZKM obfuscation
• Lack of network filtering for Discord webhooks

Key Behavioral Indicators

• User-Agent: MicroStealer/1.0
• Creation of %LOCALAPPDATA%\model\jre\bin\miicrosoft.exe
• schtasks command referencing a .jar file and ONLOGON trigger

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known malicious domains and Discord webhook URLs at the network perimeter.
• Search endpoints for the presence of 'miicrosoft.exe' in AppData and 'soft.jar'.

Infrastructure Hardening

• Implement LSA Protection (RunAsPPL) to prevent unauthorized access to LSASS memory.
• Restrict the execution of JAR files and unsigned executables from user profile directories (AppData/Local).
• Block or monitor outbound traffic to Discord webhooks if not required for business operations.

User Protection

• Enforce MFA on all corporate accounts to mitigate the impact of stolen session cookies and credentials.
• Deploy EDR solutions configured to monitor for suspicious child processes spawning from Electron apps or Java.

Security Awareness

• Train users to be cautious of UAC prompts appearing unexpectedly during software installation.
• Educate employees on the risks of downloading software or plugins from unofficial sources (e.g., VRChat plugins).

MITRE ATT&CK Mapping

• T1204.002 - User Execution: Malicious File
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
• T1134.001 - Access Token Manipulation: Token Impersonation/Theft
• T1027 - Obfuscated Files or Information
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1539 - Steal Web Session Cookie
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1003.001 - OS Credential Dumping: LSASS Memory
• T1082 - System Information Discovery
• T1113 - Screen Capture
• T1560.001 - Archive Collected Data: Archive via Utility
• T1567.004 - Exfiltration Over Web Service: Exfiltration Over Webhook
• T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

• Domains:
  • buradakimvar[[.]]com - Attacker-controlled domain used for exfiltration.
  • kittenscraft[[.]]com - Malicious distribution or C2 domain.
  • dashlune[[.]]xyz - Malicious distribution or C2 domain.
  • buradabmwking[[.]]com - Malicious distribution or C2 domain.
  • crushfall[[.]]com - Malicious distribution or C2 domain.
  • slumpcute[[.]]com - Malicious distribution or C2 domain.
  • banterplugins[[.]]com - Malicious distribution or C2 domain.
  • velyonar[[.]]com - Malicious distribution or C2 domain.
  • churilend[[.]]com - Malicious distribution or C2 domain.
  • zarvethion[[.]]com - Malicious distribution or C2 domain.
  • kittiesmc[[.]]com - Malicious distribution or C2 domain.
  • kittycraftmc[[.]]com - Malicious distribution or C2 domain.
  • welarith[[.]]com - Malicious distribution or C2 domain.
  • eldrynworld[[.]]com - Malicious distribution or C2 domain.
• Urls:
  • hxxps://discord[.]com/api/webhooks/1451639550484152321/0SpdMuq003qzFx_dRXBc4bDFuHnB_bfNAoGkPVMGqbmW6jU6FRtT3OWcx8nEZUivFxYs - Discord webhook used for data exfiltration (extracted from image).
  • hxxps://discord[.]com/api/webhooks/1446596164072771717/XHeyx0XuHJ7DBxN4nDdWy2DcPDdpOabfJUsD7_M7giI - Discord webhook used for data exfiltration (extracted from image).
  • hxxps://buradakimvar[.]com/m/license-20251210194426-5779 - Exfiltration endpoint (extracted from image).
• File Hashes:
  • 23A705FA71DA6A9191618AEDC1144C4A (MD5) - RocobeSetup.exe (NSIS Installer)
  • 755C21DD36A49086F98C87A172B900E6424F467A (SHA1) - RocobeSetup.exe (NSIS Installer)
  • A137BF79A2D5F1C8104AF40EC93E4E66 (MD5) - Game Launcher.exe (Electron)
  • C83D75BF9F9FDA4E6EF7B2C575BC9D3D82D6590B (SHA1) - Game Launcher.exe (Electron)
  • 05F0C8E89248D3477115D9F62B20CA8A95D925140C727E975AB9F3025A5AD01D (SHA256) - Game Launcher.exe (Electron)
  • 04EA30CD1B74E2844BE939BD1FFE0084 (MD5) - soft.jar (MicroStealerCore)
  • B7D0F8954BAFAB5E79AE96C07E683C229C9F7B72 (SHA1) - soft.jar (MicroStealerCore)
• File Paths:
  • %LOCALAPPDATA%\model\jre\bin\miicrosoft.exe - Disguised Java executable used to run the payload.
  • %LOCALAPPDATA%\soft.jar - Main Java payload dropped to disk.
• Command Lines:
  • Purpose: Create scheduled task for persistence | Tools: schtasks.exe | Stage: Persistence
  • Purpose: Elevate privileges via UAC prompt | Tools: powershell.exe | Stage: Privilege Escalation
• Other:
  • 440D7F4D810EF9298D25EDDF37C1F902 - Hardcoded Steam Web API Key used for account profiling.
  • MicroStealer/1.0 - Custom User-Agent string used during network communications.