CStealer is a new Trojan targeting Windows machines that tries to steal passwords stored in Google Chrome.
Of course, this is not the first case of such a Trojan being detected in the wild. However, what is new here is the fact that CStealer utilizes a remote MongoDB database to stash the stolen passwords.
CStealer – Technical Overview
What sets aside this password-stealing Trojan from other similar threats is the fact that it uploads the harvested passwords from Chrome to a remote MongoDB database. The usual behavior of such a Trojan would be to compile the stolen data into a file, and then send it to a command-and-control server controlled by the malware operators.
How does the communication with the MongoDB database take place?
CStealer includes hardcoded MongoDB credentials and uses the MongoDB C driver as a client library to connect to the database. Cybersecurity researcher James tested this and concluded that when the Trojan harvests Chrome passwords, it connects to the remote database with the idea to keep them for later retrieval.
This technique does serve the purse of stealing passwords but in the meantime, it creates an opportunity for other attackers to gain access to the stolen credentials. In fact, anyone analyzing the Trojan can retrieve the hardcoded credentials and use them to obtain access to the stolen data.
NOTE. If you suspect that you have been infected by CStealer, you can refer to our CStealer removal guide.