Gotham Stealer Technical Analysis

This blog post comes from the “Gotham Stealer Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.

Introduction

Gotham Stealer, a newly identified malware threat emerging in September 2023, showcases diverse capabilities, targeting browser information, crypto wallets, and gaming accounts like Discord, Steam, and Roblox. Notably, it infiltrates systems through game crack sites and gaming-themed platforms. Gotham Stealer’s unique features, including its use of Node.js and a substantial self-contained executable size, challenge conventional perspectives on desktop malware. This introduction sets the scene for a detailed examination of Gotham Stealer’s functionalities and its implications for cybersecurity.

Scope

In the ”Scope” section, hashes of the analyzed ”Gotham Stealer” sample are provided.

FilenameMyCV.doc
MD54a5b0e00ee6128a2922727a9603222a3
SHA11eb85f067be0a36f4a4e010ea5b2a631a2667107
SHA2560900294009d5ce23656377e18a419757bdc818b8aa3412d6a3f1661e2cb32e17

Executive Summary

Gotham Stealer, also called “Revamped and strengthened Pirate”, has been circulating in Telegram channels since September 2023, with its development initiated in March of the same year. Despite initial impressions suggesting it may be a copy of Pirate Stealer, our in-depth analysis by the threat intelligence and malware analysis teams reveals a unique element: its incorporation of a Discord stealer component. This distinctive feature sets Gotham Stealer apart from potential misconceptions of being a mere duplicate.

Operated by Turkish threat actors who ceased their activities on December 8, 2023, there remains a lingering concern of a potential resurgence or an upgraded version in the future. The malware displays versatile capabilities, encompassing the theft of browser information, crypto wallets, as well as Discord, Steam, and Roblox accounts. Its focus on gaming accounts leads to the dissemination of Gotham Stealer through game crack sites and websites centered around gaming themes. Notably, Gotham Stealer stands out due to its unconventional form as a Node.js self-contained executable, boasting a substantial size of 80MB—significantly larger than typical malware sizes. This characteristic fuels claims of evading malware sandboxes, challenging conventional assumptions regarding desktop malware, where JavaScript-based threats are less prevalent.

This report underscores the uniqueness of Gotham Stealer, debunking misconceptions of its origin and highlighting its potential for future threats. The
unconventional use of Node.js and its distinctive size contribute to its evasive capabilities, warranting heightened attention in cybersecurity efforts.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “APT34’s New Backdoor: SideTwist Variant Technical Analysis” by the Brandefense Research Team. For more details about the analysis, download the report.