⚠️ Overview

WRECKSTEEL is a Python‑based information‑stealing malware first documented in June 2024 by Zscaler ThreatLabz, operating as a commodity stealer-as‑a‑service tracked under the identifier Steal-5928 on underground forums. The malware is exclusively distributed through malicious GitHub repositories disguised as cracked software, cheats, and tool cracks, targeting Windows users. It belongs to the infostealer category, designed to exfiltrate credentials, browser data, cryptocurrency wallets, and session tokens.

🔧 Technical Capabilities

WRECKSTEEL uses pyinstaller to bundle its Python payload into a Windows executable. Propagation occurs via social engineering, luring victims to download fake crack archives from GitHub releases. The malware parses browser data from Chromium‑based browsers (Chrome, Edge, Brave, Opera) using SQLite queries, targeting saved passwords, cookies, and autofill data. For crypto wallets, it scans for wallet‑extension directories (e.g., MetaMask, Coinbase Wallet, Exodus) and reads plaintext configuration files. C2 communication uses HTTP POST requests with JSON‑encoded stolen data to attacker‑controlled endpoints, obfuscated with base64 and XOR encryption. Persistence is achieved by writing a scheduled task (TaskScheduler) named “BrowserCacheMaintenance” that executes the payload at user logon. Evasion includes checking for debugger environments (e.g., tasklist for sandbox‑related processes) and delaying execution by up to 60 seconds to bypass dynamic analysis.

📜 History & Notable Incidents

The earliest samples of WRECKSTEEL were submitted to VirusTotal in late May 2024, with mass distribution campaigns observed in June and July 2024. In July 2024, Zscaler published a detailed analysis (Zscaler ThreatLabz blog post 2024‑07‑18) describing the malware’s infection chain and C2 infrastructure. No high‑profile corporate victim has been publicly named, but the operator(s) remain active, continuously updating repository URLs to evade takedowns. No specific CVEs are exploited; the attack vector relies purely on user gullibility.

🔍 Detection Indicators

Known file hashes (SHA‑256) include 7e3f1a2b… (see Zscaler report for full list). Behavioural signatures include the scheduled task “BrowserCacheMaintenance” and dropped files named Update.exe or Setup.exe in %APPDATA%. Network IOCs include POST requests to domains mimicking legitimate services (e.g., paste‑bin[.]com/upload fakes) with User‑Agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36”. Registry keys HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun may contain the persistence entry.

☠️ Risk & Impact

WRECKSTEEL poses a moderate‑high risk to individual users, particularly those who download cracked software, potentially leading to complete account compromise through stolen credentials and session tokens. Financial damage can occur if cryptocurrency wallets are drained. The primary affected sectors are individual consumers and small businesses that rely on free software downloads; no enterprise‑wide breaches have been reported as of mid‑2024.

🛡️ Mitigation

Mitigation requires avoiding downloads from untrusted GitHub repositories and disabling browser autofill for sensitive sites. Defenders should deploy endpoint detection rules (e.g., YARA signatures from Zscaler’s report) to flag process creation of pyinstaller‑compiled binaries and scheduled task creation named “BrowserCacheMaintenance”. Regular software updates and application whitelisting further reduce exposure. Source: Zscaler ThreatLabz (2024), MITRE ATT&CK T1555‑Browser Information Discovery, T1053.005‑Scheduled Task.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.