CStealer is a new Trojan targeting Windows machines that tries to steal passwords stored in Google Chrome.
Of course, this is not the first case of such a Trojan being detected in the wild. However, what is new here is the fact that CStealer utilizes a remote MongoDB database to stash the stolen passwords.
The malware was discovered by MalwareHunterTeam and analyzed by a cybersecurity researcher known as James.
CStealer – Technical Overview
What sets aside this password-stealing Trojan from other similar threats is the fact that it uploads the harvested passwords from Chrome to a remote MongoDB database. The usual behavior of such a Trojan would be to compile the stolen data into a file, and then send it to a command-and-control server controlled by the malware operators.
How does the communication with the MongoDB database take place?
CStealer includes hardcoded MongoDB credentials and uses the MongoDB C driver as a client library to connect to the database. Cybersecurity researcher James tested this and concluded that when the Trojan harvests Chrome passwords, it connects to the remote database with the idea to keep them for later retrieval.
This technique does serve the purse of stealing passwords but in the meantime, it creates an opportunity for other attackers to gain access to the stolen credentials. In fact, anyone analyzing the Trojan can retrieve the hardcoded credentials and use them to obtain access to the stolen data.
NOTE. If you suspect that you have been infected by CStealer, you can refer to our CStealer removal guide.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: