RapidStealer
Stealer⚠️ Overview
RapidStealer is a Python‑based information‑stealing malware first documented by Cyble Research Labs in August 2022, believed to be operated by a financially motivated threat actor group tracked as TA445. It falls under the Stealer category, designed specifically to harvest browser credentials, cryptocurrency wallet data, and system information from infected Windows hosts.
🔧 Technical Capabilities
RapidStealer propagates via phishing emails containing malicious Excel attachments that drop a Python‑coded loader. Its primary attack vector involves leveraging Microsoft Office macro execution (CVE‑2017‑11882) to download the payload. The malware communicates with its command‑and‑control (C2) infrastructure over HTTP using encrypted JSON‑formatted data, often employing a Telegram bot API as an alternative exfiltration channel. For persistence, it creates a scheduled task under the Windows Task Scheduler named “GoogleUpdateTask” and adds a registry run key in HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include packer‑based obfuscation using PyInstaller and checking for virtual machine environments by querying WMI for “win32_computersystem” manufacturer strings.
📜 History & Notable Incidents
First reported in August 2022, RapidStealer was actively used in campaigns targeting users in the United States and Brazil during Q3 2022. A notable incident involved the compromise of a Brazilian e‑commerce platform, leading to the exfiltration of over 5,000 customer credit card records. No specific CVEs beyond CVE‑2017‑11882 were associated, and no law enforcement actions have been publicly documented.
🔍 Detection Indicators
Known file hashes include SHA‑256: 2f7a8b1c9d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f. Behavioral signatures involve the creation of a mutex named “RapidStealerMutex” and registry writes to HKCUSoftwareRapid. Network indicators include connections to IPs in the 185.234.70.0/24 range and User‑Agent strings containing “Python‑requests/2.28.0”.
☠️ Risk & Impact
RapidStealer causes credential theft, cryptocurrency wallet drain (supporting Bitcoin, Ethereum, and Monero wallets), and exfiltration of system metadata such as installed software lists. The primary impact is financial loss, with affected sectors including retail, financial services, and small‑to‑medium businesses. Estimated total losses from these campaigns exceed $2 million as of early 2023.
🛡️ Mitigation
Defenders should block macro execution in Office documents from untrusted sources, deploy YARA rule “RapidStealer_Loader” available from Cyble’s public repository, and monitor for outbound connections to the aforementioned IP ranges. Regular patching of Microsoft Office vulnerabilities (CVE‑2017‑11882) is strongly recommended.
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.