Nocturnal Stealer

The Nocturnal Stealer is spyware that collects data associated with your Web-browsing history, FTP client usage, and cryptocurrency accounts. While the Nocturnal Stealer includes a self-uninstall routine after committing its attacks, any infection also may coincide with associated threats, and any compromised PCs should undergo a full system analysis by appropriate security products. Most anti-malware suites should remove the Nocturnal Stealer before it collects passwords or other, confidential information on your computer.

The One-Shot Thief for Hire

Although Ransomware-as-a-Service (or RaaS) Trojans like the Globe Ransomware garner much of the attention from criminals wishing to spend money on Black Hat products, it isn't the only business model for illicit software. Both banking Trojans and general spyware also are frequent subjects of this 'outsourcing' business strategy. Already in the wild, the Nocturnal Stealer exemplifies the ease of use for threats of its category alongside the invasive nature of traditional spyware payloads.

The Nocturnal Stealer is being marketed and sold to third-party threat actors on underground forums, although the author retains control of the servers responsible for storing any victims' information. The infection methods for the Nocturnal Stealer may vary with the renting administrators, and malware experts only are confirming limited victims in live environments, for now. The spyware is using installation exploits benefiting from Trojan droppers that also may drop additional files or threats on the PC simultaneously.

None of the data that the Nocturnal Stealer collects is unusual for spyware; it includes Web-browsing credentials and cookies, overall system statistics (such as a list of running memory processes), logins for the FileZilla FTP client, and info related to cryptocurrency wallets. However, after uploading all of the captured data to a remote server, the Nocturnal Stealer takes the unusual step of uninstalling itself completely, which disguises the nature of the attack for as long as possible efficiently while giving the criminals unfettered access to a considerable range of misappropriated information.

An Adequate Alarm System for a Thief in the Night

E-mail spamming campaigns make up a substantial percentage of threat-delivering attacks in 2018, but other vectors, such as Web browser-based exploits, torrents, and malvertising also may deliver spyware like the Nocturnal Stealer. The spyware is compatible with most brands of browsers, including Chromium-based ones like Chrome, as well as Firefox, Internet Explorer and dozens of others. It also supports collecting the credentials of the wallets of over twenty cryptocurrency types like Bitcoin, Monero and Ethereum. As per usual, the Nocturnal Stealer delivers no user-side symptoms while conducting its data-gathering and uploading activities.

From malware experts' analyses of its only known attacks, the Nocturnal Stealer infections do carry a risk of other threats also being on the PC. Users are advised to scan their PCs with appropriate security tools, change all passwords, and contact their bank or credit card company, if appropriate immediately. If they're already active and patched, most anti-malware programs should delete the Nocturnal Stealer before its data-collecting routine launches. The spyware includes some anti-analysis features, but, primarily, for countering dedicated threat-examining environments (such as detecting Virtual Machines).

The Nocturnal Stealer is a 'budget' spyware option for criminals who can't afford the time or money to code or rent a more sophisticated threat. While it's code is simple, its efficiency and eye towards covering its tracks make it that much more of a possible headache for the owner of an unprotected PC.