Sorano Stealer

A new infostealer is being offered on underground hacking forums, and it would appear that the seller is a Russian malware developer. The advertisements for the Sorano Stealer are very well-designed, and they contain detailed information about the threat's modules and potential. In addition to this, the infostealer code appears to be published on GitHub, so any cybercriminals can grab it and use it or tailor it according to their needs.

A quick look at the Sorano Stealer modules reveals that the threat is able to exfiltrate data from infected machines by using the API of Telegram, a popular messaging service in Russia. The Sorano Stealer, just like many other threats of this sort, focuses on extracting the following credentials and data from the infected machine:

• Auto-fill forms from Web browsers like Opera, Firefox, Internet Explorer, Yandex, Torch, Google Chrome and others.
• It can take desktop screenshots and send them to the attacker.
• It can collect '.txt' files from the desktop.
• It can hijack session files used by Telegram, Discord and Steam.
• It is able to run without administrative permissions.
• It is able to generate a small payload that is under 250KB in size.

Although the Sorano Stealer's source code is found on GitHub, it appears that the threat also is being sold at relatively low prices – it is not clear whether the public version is limited or outdated, but it is likely that the paid variant being sold on hacking forums is more advanced.

Commodity malware like the Sorano Stealer is threatening exceptionally because any cybercriminal can use it as long as they agree to pay a certain price for the product. Thankfully, you can keep your computer protected from threats like the Sorano Stealer by relying on an up-to-date and trustworthy anti-virus product.