Open source stealer malware, Mercurial, for "educational purposes" spotted in the wild

The SonicWall Capture Labs threat research team has come across data theft malware derived from the Mercurial password stealer family.  This malware is open source and readily available on github for “educational purposes only”.  Because it is open source, it can be easily customized and deployed with little programming expertise necessary.  The malware is written in C# and is trivial to decompile.

Infection Cycle:

Upon infection, the malware copies itself to %APPDATA\Local\Temp\.  It also adds itself to the registry so that it is started after each reboot:

It scans the system for browser profile information:

In addition to searching for browser data, it also searches for Minecraft launch profile files and Discord Level DB files:

It contains a very basic level of antidebugging:

Any information that is gathered from the system is sent via an HTTP POST request to the operator:

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Blitzed.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.