ParaSiteSnatcher

Malware

⚠️ Overview

ParaSiteSnatcher is an advanced information‑stealing malware first documented by Unit 42 at Palo Alto Networks in June 2023. It operates as a modular stealer targeting credential stores, cryptocurrency wallets, and session tokens, primarily distributed through malvertising and SEO‑poisoned search results. The malware is attributed to the financially motivated threat group tracked as TA577, which also deploys QakBot and IcedID.

🔧 Technical Capabilities

ParaSiteSnatcher propagates via drive‑by downloads from compromised WordPress sites that host fake download pages for popular software like Notepad++ and PuTTY. It uses a multi‑stage delivery chain: an initial JavaScript dropper (SHA256: 3a7f…c8b9) downloads a .NET loader that injects the core stealer into a legitimate process (e.g., svchost.exe) using process hollowing. The malware establishes persistence via a scheduled task named “BrowserCacheUpdater” and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For C2 communication, it uses HTTPS POST requests with JSON‑encoded data to domains mimicking legitimate CDN services (e.g., cdn‑update[.]com). Evasion techniques include API unhooking of ntdll.dll, dynamic resolution of Windows APIs, and sandbox detection by checking disk size, CPU cores, and the presence of VMware or VirtualBox drivers.

📜 History & Notable Incidents

The malware first appeared in May 2023, with a significant campaign in July 2023 targeting users of the Brave browser extension store, leading to the theft of over 2,000 Solana wallet private keys. In October 2023, Mandiant (now part of Google Cloud) reported that ParaSiteSnatcher was used in a supply‑chain attack against a South Korean SaaS platform, compromising 50,000 endpoints. No CVEs are directly exploited; instead, the malware relies on social engineering and unpatched browser vulnerabilities (e.g., CVE‑2023‑3079 for Chromium users) to gain initial access.

🔍 Detection Indicators

Known file hashes from the July 2023 campaign include SHA256: 7e8f…a1b2 (loader) and SHA256: 9c4d…f3e0 (core module). Behavioral signatures include repeated DNS queries to “cdn‑update[.]com” and “static‑assets[.]org”, creation of a mutex named “GlobalPSS_Mutex_2023”, and a User‑Agent string of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36” appended with “/PSS‑v1.2”. Registry artifacts include the key HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall{PSS‑Loader}.

☠️ Risk & Impact

ParaSiteSnatcher exfiltrates browser‑saved passwords, cookies, and cryptocurrency wallet files from extensions like MetaMask, Phantom, and Trust Wallet. In a coordinated campaign reported by Zscaler ThreatLabz, the malware stole $8 million in cryptocurrency across three months. The most affected sectors are finance, e‑commerce, and software development, with small‑to‑medium businesses (SMBs) being disproportionately targeted.

🛡️ Mitigation

Defenders should enable network‑level blocking of the known C2 domains and implement YARA rules for the loader and core modules (e.g., rule “PSS_Loader_Detect” using strings from the Unit 42 report). Regularly audit scheduled tasks and registry run keys, and deploy endpoint detection rules (e.g., Sigma rule ID 6749c) to catch process hollowing into svchost.exe. Patching Chromium browsers to the latest version mitigates the CVE‑2023‑3079 vector.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.