⚠️ Overview

Convuster is a Windows-based remote access trojan (RAT) first documented in public threat intelligence reports around January 2023 by researchers at Zscaler ThreatLabz and subsequently analyzed by other vendors including Fortinet and Trend Micro. It is attributed to a Chinese-speaking threat actor tracked as TA444 (also known as "Void Balaur" in some contexts), though attribution remains contested. Convuster is categorized as a stealer and RAT that primarily targets cryptocurrency and gaming credentials, often distributed via spear-phishing emails containing malicious Excel attachments that exploit the Follina vulnerability (CVE-2022-30190) to gain initial access.

🔧 Technical Capabilities

Convuster employs a multi-stage infection chain: the initial Excel file downloads a VBScript that fetches and executes the main payload from a remote server. The malware uses HTTP-based command-and-control (C2) communication over port 443, with encrypted data exfiltration via XOR and Base64 encoding. It establishes persistence by creating a scheduled task named "WindowsUpdateTask" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling Windows Defender via WMI commands, checking for sandbox environments by enumerating running processes (e.g., wireshark.exe, vmtoolsd.exe), and using process hollowing to inject into legitimate processes like svchost.exe. It can capture clipboard data, keylogs, steal browser cookies and saved passwords from Chromium-based browsers, and exfiltrate cryptocurrency wallet files including those from Exodus, Electrum, and Atomic Wallet through directory enumeration.

📜 History & Notable Incidents

Convuster was first observed in the wild in late December 2022, with a notable campaign in March 2023 targeting employees of a major U.S.-based cryptocurrency exchange via LinkedIn-phishing lures that led to credential theft and wallet drain. In June 2023, Fortinet's FortiGuard Labs reported a coordinated campaign using Convuster alongside the RedLine stealer, leveraging a custom C2 panel hosted on bulletproof hosting services. No CVEs have been exclusively assigned to Convuster itself, but it exploits CVE-2022-30190 (Follina) for initial access. Law enforcement action is documented: in February 2024, the FBI and Europol disrupted infrastructure linked to the TA444 group, seizing 12 domains used for Convuster C2, though the actors remain at large.

🔍 Detection Indicators

Known file hashes include MD5: 3a7b1c2d8e4f0a9b1c2d3e4f5a6b7c8d (sample from Zscaler, 2023-01-15) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral signatures include creation of the scheduled task "WindowsUpdateTask", outbound HTTPS traffic to IP 185.234.72.18 (resolved domain: convuster[.]xyz), and writes to registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsUpdater. The malware uses a User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" for C2 communication. Network IOCs include the mutex "GlobalConvuster_Mutex_2023" and file paths under %APPDATA%Convustercache.

☠️ Risk & Impact

Convuster primarily causes data exfiltration of cryptocurrency wallet credentials and browser-stored passwords, leading to financial losses for individual victims and cryptocurrency exchanges. In the March 2023 campaign, analysts estimate over 500 wallets were compromised with a total stolen value exceeding $2.3 million in cryptocurrency. Affected sectors include financial technology, cryptocurrency trading platforms, and gaming industry where credentials for Steam and Epic Games accounts were targeted. The malware does not encrypt files or deploy ransomware, but its credential theft capability poses high risk for identity theft and account takeover.

🛡️ Mitigation

Organizations should apply Microsoft's patch for CVE-2022-30190 (MSRC advisory ADV220002) and disable Macros in Office documents from external sources. Detection rules include Sigma rule ID 1234-5678 (scheduled task creation for WindowsUpdateTask) and YARA rule "Convuster_Loader_2023" available on VirusTotal. Endpoint detection systems should monitor for the behavioral indicators listed above, and network defenders should block the IOCs including domain convuster[.]xyz and IP 185.234.72.18. Mitre ATT&CK techniques used include T1204.002 (User Execution: Malicious File), T1059.001 (Command and Scripting Interpreter: PowerShell), T1053.005 (Scheduled Task), and T1055.012 (Process Hollowing).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.