Unveiling the Execution Chain and Advanced Exfiltration Tactics of 0bj3ctivityStealer

The cybersecurity landscape continues to witness the emergence of sophisticated information stealers, with 0bj3ctivityStealer representing a notable evolution in malware design and deployment tactics.

Discovered earlier this year by HP Wolf Security experts, this issue was identified. NET-based stealer demonstrates advanced capabilities for data gathering and exfiltration across a wide variety of applications, employing innovative techniques that set it apart from traditional infostealer campaigns.

Multi-Stage Execution Chain with Steganographic Concealment

The 0bj3ctivityStealer campaign begins with carefully crafted phishing emails featuring subjects like “Quotation offer” and low-quality images of fake purchase orders.

Victims are directed to click a “Download” link that redirects to Mediafire cloud services, hosting a JavaScript script as the initial infection vector.

This JavaScript contains over 3,000 lines of code, with only 60 lines representing the actual malicious payload, demonstrating sophisticated obfuscation techniques.

The execution chain progresses through multiple stages, with the decoded PowerShell script downloading a JPG image from archive.org that conceals the next stage using steganography.

The malware searches for a specific hexadecimal pattern (0x42 0x4D 0x32 0x55 0x36…) within the image file, then extracts RGB values from each pixel to reconstruct the hidden payload.

This steganographic approach effectively bypasses traditional security detection mechanisms by hiding malicious code within seemingly benign image files.

The extracted payload is a .NET DLL containing the legitimate Dnlib library, which serves as the VMDetector Loader.

This component creates scheduled tasks for persistence and downloads the final stage from a Cloudflare-managed subdomain, with the payload stored as reversed Base64 encoding before being injected into Regasm.exe using Process Hollowing techniques.

Comprehensive Data Harvesting and Anti-Analysis Measures

0bj3ctivityStealer implements multiple anti-analysis techniques, including virtual machine detection through DLL checks (SbieDll, VMToolsHook, vmmousever), WMI queries for hypervisor detection, and debugger presence verification using CheckRemoteDebuggerPresent.

The malware employs string obfuscation through Base64 encoding combined with subtraction algorithms, control flow flattening, and randomized naming conventions to complicate analysis efforts.

The stealer targets an extensive range of data sources, including system information, browser data from both Chromium and Gecko-based browsers, instant messaging applications (Telegram, Signal, Discord, Element), email credentials from Outlook and Foxmail, and cryptocurrency wallets.

Particularly noteworthy is its comprehensive cryptocurrency targeting, searching for over 20 different wallet extensions across Chrome and Edge browsers, along with desktop wallet applications including Exodus, Electrum, and AtomicWallet.

The malware communicates with its command and control infrastructure through Telegram, providing attackers with a reliable and encrypted channel for data exfiltration.

This approach leverages legitimate communication platforms to avoid detection while maintaining operational security for threat actors.

The combination of advanced obfuscation, multi-stage deployment, and comprehensive data targeting makes 0bj3ctivityStealer a significant threat requiring enhanced security awareness and detection capabilities.