A new sneaky type of malware, known as Raven Stealer, has been identified by the Lat61 Threat Intelligence Team at Point Wild. The research team, led by Onkar R. Sonawane, has found that this seemingly simple program is surprisingly adept at remaining undetected while stealing your personal information. The research, shared with Hackread.com, reveals that the malware is primarily spread through underground forums and often bundled with pirated software.
Built using the programming languages Delphi and C++, Raven Stealer is designed to be small and quick. It works by quietly infiltrating your computer, where its payload (the part of the malware that causes the actual harm) goes to work.[1]
The payload targets popular web browsers like Chrome and Edge to grab things like your passwords, cookies, payment details, and other information you’ve saved. What makes it particularly tricky is that it can send this stolen information directly to a cybercriminal using a Telegram messaging bot. This means the bad guys get your data in real-time.
Attack Flow
The UI of the file and the generated payload (Image Credit: Point Wild)
How It Works - Point Wild’s report explains that Raven Stealer employs a clever trick called process hollowing to evade detection by traditional antivirus programs. This means, instead of leaving a file on your computer’s hard drive, it works entirely within your computer’s memory, pretending to be a regular browser program. It’s like a car thief hollowing out a car and installing a different engine, so it looks normal from the outside but is used for something else entirely. This technique makes it tough for security software to spot it.
The malware’s creator used a simple builder program to create the attack file, which hides an encrypted “payload” inside and gives it a unique name to avoid detection. Once on an infected computer, it gathers a screenshot and stolen data into a ZIP file, then tries to send it to the attacker via Telegram. Although this transmission failed in testing due to a problem with the Telegram bot token, the threat of data theft remains.
Protecting Yourself - To keep your personal information safe from threats like this, always use up-to-date antivirus software with real-time protection and avoid downloading pirated programs. It’s also wise to be careful about clicking on suspicious links or attachments.
As Dr. Zulfikar Ramzan, CTO of Point Wild and Head of the Lat61 Threat Intelligence Team, explains, “Raven Stealer shows how commodity malware is evolving, stealing credentials, cookies, and payment data while hiding its tracks through in-memory execution and Telegram exfiltration. It’s a reminder that attackers are packaging advanced techniques into tools that even low-skilled actors can use.”
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/
Comments