By rssfeeds-admin 
Written primarily in Delphi with core modules in C++, the malware emphasizes operational stealth and minimal user interaction, making it an attractive tool for both novice and experienced threat actors.
Raven Stealer’s executable (~7 MB) embeds critical payload components within the .rsrc section, using Delphi’s resource editor to include an encrypted DLL and configuration blobs. The embedded DLL is protected via ChaCha20 encryption (entropy 8.0), thwarting static analysis.
At runtime, the main executable decrypts the DLL in memory and employs reflective process hollowing into a suspended Chrome instance. By masquerading as a legitimate browser process, the malware evades heuristic detection and gains full access to browser internals.
Once injected, Raven Stealer retrieves the AES key stored in the Local State file at C:Users<User>AppDataLocalMicrosoftEdgeUser DataLocal State (applicable to Chrome as well).
This key decrypts browser artifacts, including saved passwords, cookies, payment data, and autofill entries. Extracted data is dumped into plaintext files passwords.txt, cookies.txt, and payment.txt, and organized under %Local%RavenStealerChromeDefault, facilitating streamlined data aggregation.
Modular Design Enables In-Memory Execution and Evasion
By avoiding disk writes, Raven Stealer minimizes forensic artifacts. The builder dynamically generates each payload with a unique, 12-character filename (e.g., 65a16KM1.69n.exe), hindering signature-based detection.
During build time, operators supply Telegram Bot Token and Chat ID through a Delphi-based UI; these credentials are embedded unencrypted in resource IDs 102 and 103 via the BeginUpdateResource API.
This modular approach allows attackers to tailor communication parameters and payload features, such as UPX compression or additional plugins, without altering the core builder.
Telegram Bot Integration Streamlines Real-Time Exfiltration
Upon successful data harvest, the malware compresses stolen artifacts and a desktop screenshot into a ZIP archive (e.g., admin_RavenStealer.zip) and issues an HTTPS POST to the Telegram sendDocument API endpoint.
This integration provides near-instantaneous delivery of sensitive data directly to threat actor channels. Misconfigured or expired tokens can result in HTTP 404 errors, but valid credentials ensure seamless exfiltration that bypasses many network-based security filters.
Distribution of Raven Stealer typically occurs via cracked software bundles, phishing emails, and promotions on underground forums or a dedicated Telegram channel. Its minimal footprint and evasion tactics make behavioral-based detection and network monitoring critical.
Security teams should watch for anomalous reflective hollowing of browser processes, inspect outbound traffic to api.telegram.org, and flag unexpected document uploads.
Enforcing application whitelisting, patching browser vulnerabilities promptly, and educating users to avoid pirated software remain essential defenses.
As Raven Stealer cements its place in the commodity malware ecosystem, its combination of stealth, modularity, and real-time exfiltration underscores the need for layered threat detection strategies, proactive hunting, and rigorous endpoint protection to safeguard sensitive credentials and browser data.
Indicators of Compromise
| Files Indicator – SHA256 | Context |
| 2b24885942253784e0f6617b26f5e6a05b8ad45f092d2856473439fa6e095ce4 | Raven Stealer |
| 65ca89993f2ee21b95362e151a7cfc50b87183bf0e9c5b753c5e5e17b46f8c24 | 65a16KM1.69n.exe |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Raven Stealer Targets Google Chrome Users, Exfiltrates Sensitive Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.