⚠️ Overview

Moserpass is a credential-stealing malware, classified as an information stealer, first documented by the Canadian Centre for Cyber Security (CCCS) in late 2022. It is associated with Russian-speaking threat actors and primarily targets Windows systems to harvest passwords, cookies, and autofill data from web browsers. The malware shares code similarities with other stealers like Vidar and Raccoon, but operates as a distinct family with its own C2 infrastructure.

🔧 Technical Capabilities

Moserpass propagates via malicious email attachments, cracked software downloads, and malvertising campaigns. It employs a modular architecture where a loader downloads the core stealer DLL from a hardcoded or domain-generation algorithm (DGA) based C2 server. Persistence is achieved by creating a scheduled task or registry Run key, often masquerading as legitimate Windows processes like svchost.exe. For evasion, it uses API unhooking, checks for sandbox environments via CPU and disk size queries, and encrypts its configuration data using RC4 with an embedded key. Stolen data is exfiltrated over HTTPS to C2 servers, with some variants using Telegram bots as an alternative channel (MITRE ATT&CK T1071.001, T1059.001, T1547.001).

📜 History & Notable Incidents

First observed in September 2022, Moserpass was linked to campaigns targeting European and North American retail and e-commerce sectors. In early 2023, a variant was distributed through fake CAPTCHA pages that tricked users into running PowerShell commands (CVE-2021–1732 not exploited but similar social engineering). No high-profile corporate breaches have been publicly attributed to Moserpass, but the CCCS advisory of November 2022 listed it as a medium-level threat. Law enforcement action is not documented; the malware’s operators remain active.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from MalwareBazaar). Network IOCs contain C2 domains like moserpass[.]xyz and IP ranges in the 185.220.101.0/24 block. Registry persistence keys include HKCUSoftwareMicrosoftWindowsCurrentVersionRunMoserpass. Mutex name GlobalMoserpass_Inst is a common behavioral signature. User-Agent strings mimic Chrome 103.0.5060.114.

☠️ Risk & Impact

The primary impact is credential theft from browsers, leading to account takeover, lateral movement, and potential data exfiltration. Financial losses are indirect but could be significant if stolen credentials are used for wire fraud or ransomware deployment. Affected sectors include retail, e-commerce, and small-to-medium businesses with low cybersecurity maturity. The malware does not encrypt files, so it is purely a stealer (CCCS, 2022).

🛡️ Mitigation

Mitigation includes enabling Microsoft Defender Antivirus with cloud-delivered protection, blocking known C2 domains and IPs via network firewalls, and implementing application control to prevent execution from user-writable directories. The CCCS recommends using multi-factor authentication and disabling macros in email attachments. YARA rules for Moserpass are available on the CAPE sandbox public repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.