High-Profile BluStealer Malware Steals Sensitive Info and Files

by certadmin

A new malware has been discovered that is an all-inclusive package for a keylogger, cryptocurrency stealer, and document uploader. Named BluStealer, it was first spotted by a researcher in May and referred to as a310logger.

About BluStealer

BluStealer comprises the core code written in VB and the inner payloads written in C# .NET. Both these components are different in observed samples, indicating that its builder can customize each component individually.
  • The VB core reuses most of the code from the SpyEx project (first spotted in 2004). For this reason, SpyEx strings are discovered in the early samples detected in May.
  • BluStealer can steal crypto wallet data, replace crypto addresses in the clipboard, find/upload document files, steal data via SMTP, use Telegram Bot API, and use anti-analysis/VM methods.
  • The .NET component is a credential stealer created from a combination of open-source C# hack tools known as ChromeRecovery, ThunderFox, firepwd, and StormKitty.
  • Additionally, the malware’s .NET Loader has already been used by various malware families such as Oski Stealer, Snake Keylogger, Formbook, RedLine, and Agent Tesla.

The infection vector

BluStealer mainly spreads via malspam campaigns; a large number of samples were observed in a certain campaign that used a unique .NET loader.
  • The spam emails included links to Discord’s Content Delivery Network (CDN) as a malware distribution infrastructure.
  • Researchers have observed two BluStealer malspam samples. One was a fake DHL invoice in English, while the other one was a fake message in the Spanish language from a Mexican metal company General de Perfiles.
  • Both the samples had .iso attachments, along with download URLs. Accompanied messages claimed that the recipients must open the link and fill out details to solve the problem in the delivery of their parcel.
  • The attachments included the malware executables packed with the .NET Loader. The loader is obfuscated and does not match with any known .NET obfuscator (when matched using de4dot).


BluStealer uses legitimate services to make detection harder for organizations, potentially making it a major threat for security teams worldwide.