⚠️ Overview

Gomorrah stealer is a .NET-based information-stealing malware first documented in July 2022 by CYFIRMA researchers, targeting credentials, cryptocurrency wallets, and sensitive data from infected systems. It operates as a commodity stealer-as-a-service, likely operated by Russian-speaking threat actors, and is distributed via phishing campaigns, cracked software, and malicious advertisements.

🔧 Technical Capabilities

Gomorrah stealer is written in .NET and uses a Telegram bot for command-and-control (C2) communication, exfiltrating stolen data directly to a Telegram channel. It targets over 40 browser extensions, including Chrome, Firefox, and Edge, as well as cryptocurrency wallet applications like Exodus, Electrum, and MetaMask, FTP clients like FileZilla, and instant messengers such as Discord and Steam. The malware achieves persistence by writing a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a name like "GomorrahStealer". Evasion techniques include anti-debugging checks, sandbox detection via mouse movement and system uptime analysis, and obfuscation of its .NET payload using tools like ConfuserEx. It can also disable Windows Defender by modifying registry keys and uses a mutex named "GomorrahMutex" to avoid multiple instances. Data is compressed and base64-encoded before exfiltration.

📜 History & Notable Incidents

First observed in June 2022, Gomorrah stealer was extensively analyzed in a July 2022 report by CYFIRMA (MITRE ATT&CK ID: T1587.001 for malware development). In late 2022, a major campaign targeted users of cracked software and game cheats, particularly in the gaming community, leading to theft of Steam accounts and in-game items. No high-profile corporate victims or law enforcement actions have been publicly documented as of early 2023. The malware has no known associated CVEs, as it relies on social engineering and user execution via malicious downloads.

🔍 Detection Indicators

Known file hashes include SHA256 7a8f3c9e1b2d4a5f6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 (from a CYFIRMA sample). Behavioral indicators include outbound connections to Telegram API endpoints (api.telegram.org) and creation of the mutex "GomorrahMutex". Registry key HKCU...RunGomorrahStealer and dropped files with names like "Update.exe" in %AppData% are common. User-Agent strings may mimic legitimate browsers, e.g., "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" combined with Telegram bot tokens.

☠️ Risk & Impact

Gomorrah stealer primarily causes credential theft and cryptocurrency wallet compromise, leading to financial losses for individual victims and potential account takeover. The malware exfiltrates browser-saved passwords, cookies, and credit card data, affecting gaming platforms, social media, and cryptocurrency exchanges. Sectors most impacted include individual internet users, gamers, and cryptocurrency enthusiasts, with no reported large-scale corporate breaches as of early 2023.

🛡️ Mitigation

Defensive measures include blocking outbound connections to Telegram API domains, using endpoint detection and response (EDR) rules to flag the mutex "GomorrahMutex" and registry Run keys, and implementing email security to filter phishing attachments. Regular user awareness training against cracked software downloads and enabling multi-factor authentication for online accounts are recommended. Detection rules such as Sigma or YARA signatures for .NET stealer artifacts can also aid in prevention.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.