TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign

TROX Stealer is a sophisticated information-stealing malware operating as a Malware as a Service (MaaS), designed to exfiltrate sensitive data like credit card details and browser credentials from everyday users rather than enterprise networks. Initially detected by Sublime's Threat Research team in December 2024, this malware leverages urgent phishing emails to deliver its payload, often disguised under the guise of legal or debt-related communications. The malware employs a complex delivery and execution chain utilizing Python, Node.js, and WebAssembly to obfuscate its activities and evade detection. Despite its advanced evasion techniques, the core stealing functionalities rely on commonplace methods, such as querying application databases, making it detectable through various indicators of compromise (IOCs). The attackers have maintained a methodical infrastructure, updating certificates and utilizing domains like debt-collection-experts[.]com, and deploying the final payload via platforms like GitHub. Sublime's AI-powered detection system has developed rules to identify and prevent such threats, emphasizing the importance of recognizing urgent messages and suspicious links as potential red flags.