Since May 2025, a new credential-stealing malware known as Maranhão Stealer has surfaced, posing a significant risk to individuals who download pirated gaming software. This malware is disseminated through deceptive websites that offer cracked game launchers and cheats, utilizing cloud-hosted platforms to deliver trojanized installers that appear legitimate.
Distribution and Infection Process
The Maranhão Stealer is primarily spread via websites that lure users with promises of modified game content. For instance, download links labeled as `DerelictSetup.zip` entice users to download what they believe are enhanced game features. However, these downloads contain malicious installers wrapped in Inno Setup executables. Upon execution, the installer unpacks a Node.js–compiled binary, initiating a silent infection process that operates without user awareness.
Once executed, the installer drops several components, including `updater.exe`, `crypto.key`, and `infoprocess.exe`, into a concealed directory named Microsoft Updater located under `%localappdata%\Programs`. This strategic placement helps the malware evade detection by blending in with legitimate system files.
Establishing Persistence
To maintain a foothold on the infected system, Maranhão Stealer employs multiple persistence mechanisms:
– Registry Modification: The malware adds a new entry to the Windows registry under `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, ensuring that `updater.exe` executes automatically upon system startup.
– Scheduled Tasks: It creates scheduled tasks that trigger the execution of its components at specified intervals, reinforcing its persistent presence.
– File Attributes Manipulation: By setting hidden and system attributes on its directories and files using commands like `attrib +h +s`, the malware conceals its presence from users and basic file explorers.
Data Exfiltration Techniques
Maranhão Stealer is designed to harvest a wide array of sensitive information:
– Browser Data: The malware injects a reflective DLL into processes of popular browsers such as Chrome, Edge, Brave, and Opera. This technique allows it to bypass security measures like AppBound encryption, enabling the extraction of stored passwords, cookies, and browsing history.
– Cryptocurrency Wallets: Beyond traditional credentials, Maranhão Stealer targets cryptocurrency wallets, including Electrum, Exodus, and Coinomi. This capability poses a dual threat, compromising both personal information and digital assets.
– System Reconnaissance: The malware conducts thorough system profiling by executing WMI queries (e.g., `wmic os get Caption`) and making external API calls to services like `ip-api.com/json`. This process gathers detailed information about the operating system, CPU, disk space, and the geographic location of the infected machine.
– User Activity Monitoring: Utilizing inline C# within PowerShell scripts, Maranhão Stealer captures screenshots, providing attackers with real-time insights into user activities.
Technical Analysis of the Infection Mechanism
The infection process of Maranhão Stealer is meticulously crafted to ensure stealth and reliability:
1. Silent Execution: The Inno Setup installer launches the main payload (`updater.exe`) in `/VERYSILENT` mode, suppressing any installation dialogs and minimizing user suspicion.
2. Registry Persistence: The malware modifies the registry to include an entry that points to its executable, ensuring it runs at every system startup.
3. File Concealment: By applying hidden and system attributes to its files and directories, Maranhão Stealer makes it challenging for users to detect its presence through standard file navigation.
4. Process Injection: The malware spawns a helper process (`infoprocess.exe`) that injects a malicious DLL directly into running browser processes. This is achieved using low-level Windows APIs such as `NtAllocateVirtualMemory`, `NtWriteProcessMemory`, and `CreateThreadEx`. This reflective injection technique allows the malware to operate within the memory space of legitimate browser processes, effectively evading traditional antivirus scans.
Implications and Recommendations
The emergence of Maranhão Stealer underscores the evolving sophistication of credential-stealing malware. By combining social engineering tactics, cloud-based distribution methods, and advanced injection techniques, this malware presents a formidable challenge to cybersecurity defenses.
To mitigate the risk posed by such threats, users and organizations should consider the following measures:
– Avoid Pirated Software: Refrain from downloading and installing pirated or cracked software, as these are common vectors for malware distribution.
– Implement Application Control Policies: Establish policies that restrict the execution of unauthorized applications and scripts, reducing the likelihood of malware execution.
– Monitor System Behavior: Utilize endpoint detection and response (EDR) solutions to monitor for anomalous behaviors, such as unexpected registry modifications or the creation of hidden directories.
– Conduct Regular Security Training: Educate users about the risks associated with downloading software from untrusted sources and the importance of maintaining good cybersecurity hygiene.
By adopting these proactive measures, individuals and organizations can enhance their defenses against sophisticated threats like Maranhão Stealer and safeguard their sensitive information from unauthorized access.
