XSSLite is an information stealer. It was developed as part of a monetary prize-driven competition held on a Russian hacker forum. There are several variants of this malware; the original version written in the C# programming language was made available for free by the developers, while another variant was created by rewriting the stealer in C++. XSSLite was later observed being disseminated through Chinese hacker forums.
XSSLite is a well-obfuscated piece of malicious software that uses several anti-analysis and anti-detection mechanisms. For example, this stealer checks whether it is launched on a virtual machine by looking for infrastructures related to Hyper-V and VMware. It also boasts some anti-debugging features.
XSSLite uses the DLL side-loading technique to infiltrate machines. In other words, it utilizes the Windows DLL search order mechanism to leverage a legitimate program that executes the malicious payload. Following successful installation, the malicious program begins collecting relevant device data.
XSSLite can extract and exfiltrate data from Chromium-based browsers. Typically, stealers target browsing and search engine histories, Internet cookies, log-in credentials (usernames/passwords), personally identifiable details, credit card numbers, and other sensitive information.
According to XSSLite’s promotional material, it can obtain data from all types of browser extensions. This could include plug-ins related to cloud storage, password management, 2FA/MFA (Two/Multi-Factor Authentication), cryptocurrency platforms, etc.
Furthermore, this malware can exfiltrate (download) victims’ desktop files. The program also aims to steal cryptocurrency wallets. Additionally, the stealer has keylogging abilities, i.e., it can record keystrokes (keyboard input).
It is pertinent to mention that malware developers commonly improve upon their creations and methodologies; therefore, potential future iterations of XSSLite could have additional/different capabilities.
What do you think?
It is nice to know your opinion. Leave a comment.