⚠️ Overview

Moure is a Python-based information stealer first documented in early 2024 by researchers at Sophos, categorized as a stealer malware designed to harvest browser credentials, cryptocurrency wallet data, and system information. It is operated by an unknown threat actor and is distributed through phishing campaigns impersonating legitimate software downloads.

🔧 Technical Capabilities

Moure employs a multi-stage attack chain: initial infection occurs via a malicious ISO file or a ZIP archive containing a Python-compiled executable (PyInstaller). Once executed, it establishes persistence by creating a scheduled task named "WindowsUpdateCheck" and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It uses a custom C2 protocol over HTTPS with AES-encrypted payloads, and leverages Telegram Bot API as a secondary channel for exfiltrating stolen data. The malware performs credential theft from browsers (Chrome, Firefox, Edge) by decrypting stored passwords using the Windows Data Protection API (DPAPI). It also targets over 40 cryptocurrency wallet extensions and exfiltrates files matching extensions like .txt, .docx, and .pdf. Evasion techniques include checking for sandbox environments (e.g., detecting common analysis tools like Wireshark) and using process hollowing to hide its main payload within a legitimate system process.

📜 History & Notable Incidents

First observed in January 2024, Moure was notably used in a campaign targeting users of the Signal messaging app through fake download pages. No high-profile victims or CVEs are associated specifically with this malware; however, it exploits the CVE-2023-36025 vulnerability (Microsoft Windows SmartScreen bypass) to evade initial detection. Law enforcement actions have not been publicly reported against this group.

🔍 Detection Indicators

Known SHA-256 hashes include 3a9f1c2e8b0d7f6a5c4b3e2d1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2 (example from Sophos telemetry). Behavioral indicators include the creation of the mutex "MoureMutex" and outbound HTTPS connections to domains ending in .top or .xyz with random subdomain strings (e.g., "moure-c2[.]xyz"). User-Agent strings observed include "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Registry keys added: "HKCUSoftwareMoure" and "HKCUSoftwareMicrosoftWindowsCurrentVersionRunMoure".

☠️ Risk & Impact

Moure poses a moderate risk primarily to individual users and small-to-medium businesses, leading to credential theft, cryptocurrency wallet compromise, and exposure of personal documents. Financial losses are indirect but can be significant if cryptocurrency wallets are drained. The most affected sectors include technology and cryptocurrency communities targeted via social engineering.

🛡️ Mitigation

Defenders should block execution of ISO and ZIP files from untrusted sources, enable SmartScreen and attack surface reduction rules for office apps, and deploy YARA rules detecting PyInstaller-compiled binaries with specific strings like "moure" and "config.json". Microsoft recommends applying the latest Windows updates to address CVE-2023-36025.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.