新型VVS Stealerマルウェアが難読化されたPythonコードを介してDiscordアカウントを標的に

Ruslan Mikhalov Chief of Threat Research at SOC Prime

フォローする

新型VVS Stealerマルウェアが難読化されたPythonコードを介してDiscordアカウントを標的に

Detection stack

AIDR
Alert
ETL
Query

脅威レポート
攻撃フロー
検出
シミュレーション

概要

VVS Stealerは、Telegramで販売されている新しく観測されたPythonベースの情報スティーラーです。Pyarmorで難読化され、PyInstallerでパッケージ化され、Windowsのスタートアップフォルダ経由で持続化します。このマルウェアはDiscordトークン、ブラウザの資格情報、クッキー、履歴、パスワード、スクリーンショットを収集します。また、アクティブなDiscordセッションをハイジャックするために悪意のあるJavaScriptペイロードを注入することも可能です。

調査

Palo Alto Networks Unit 42は、このマルウェアを開示し、2025年4月から販売されていると指摘しました。研究者たちは、その難読化技術、配布モデル、資格情報の窃取やDiscord注入を含む機能を説明しました。このレポートは、スティーラーに焦点を当てたTelegramグループで活動するフランス語を話す脅威アクターにツールを関連付けています。

緩和策

組織は、未知のPyInstaller実行ファイルとスタートアップフォルダ内の予期しないショートカットを監視するべきです。難読化されたPythonスクリプトや疑わしいJavaScriptペイロードのエンドポイント検出ルールを展開します。Discordやブラウザアカウントに多要素認証を強制し、資格情報収集が悪用される可能性のある管理権限を制限します。

対応

VVS Stealerが検出された場合、影響を受けたエンドポイントを隔離し、メモリおよびファイルアーティファクトを収集し、IOCを抽出します。悪意のあるスタートアップエントリを削除し、注入されたDiscordプロセスを終了し、侵害されたアカウントのパスワードを強制的にリセットします。追加の盗まれた資格情報を見つけるために完全なフォレンジック調査を実施し、リモートC2インフラストラクチャがブロックされていることを確認します。

“graph TB %% Class definitions classDef action fill:#99ccff classDef malware fill:#ff9999 classDef tool fill:#cccccc classDef technique fill:#ffff99 %% Nodes mal_vvs_stealer[“マルウェア – VVS Stealer 説明: PyInstallerでパッケージ化され、PyArmorで難読化された情報スティーラー。”] class mal_vvs_stealer malware tool_pyinstaller[“ツール – PyInstaller 説明: Pythonアプリケーションをスタンドアロンの実行ファイルにバンドルする。”] class tool_pyinstaller tool tool_pyarmor[“ツール – PyArmor 説明: マルウェアのロジックを隠すためにPythonバイトコードを難読化する。”] class tool_pyarmor tool tech_T1027[“手法 – T1027 難読化されたファイルまたは情報 説明: 敵は悪意のあるコードを隠すために難読化を使用する。”] class tech_T1027 technique action_download_js[“アクション – 追加のJavaScriptペイロードをダウンロード”] class action_download_js action tech_T1027_006[“手法 – T1027.006 HTMLスモグリング 説明: 防御を回避するために悪意のあるコードをHTMLに埋め込む。”] class tech_T1027_006 technique tech_T1505[“手法 – T1505 サーバーソフトウェアコンポーネント 説明: 悪意のある活動を支えるために追加のサーバー側コンポーネントをインストールする。”] class tech_T1505 technique action_persistence[“アクション – スタートアップフォルダを介して持続性を確立する”] class action_persistence action tech_T1037_005[“手法 – T1037.005 スタートアップ項目 説明: ログオン時に実行されるようにユーザーのスタートアップフォルダに実行ファイルを配置する。”] class tech_T1037_005 technique tech_T1547[“手法 – T1547 ブートまたはログオンの自動実行 説明: ブートまたはログオン時に自動実行するプログラムを登録する。”] class tech_T1547 technique action_fake_error[“アクション – 偽の致命的なエラーポップアップを表示する”] class action_fake_error action tech_T1562_011[“手法 – T1562.011 セキュリティ警告の偽装 説明: 利用者を欺くために偽造のセキュリティ警告を表示する。”] class tech_T1562_011 technique action_screenshot[“アクション – スクリーンをキャプチャする”] class action_screenshot action tech_T1113[“手法 – T1113 スクリーンキャプチャ 説明: 被害者のデスクトップのスクリーンショットを記録する。”] class tech_T1113 technique action_browser_harvest[“アクション – ブラウザデータ（クッキー、パスワード、履歴）を収集する”] class action_browser_harvest action tech_T1555_003[“手法 – T1555.003 ウェブブラウザからの認証情報 説明: 保存された認証情報とクッキーをブラウザから抽出する。”] class tech_T1555_003 technique action_discord_hijack[“アクション – Discordクライアントを終了し、悪意のあるJavaScriptを挿入する”] class action_discord_hijack action tech_T1539[“手法 – T1539 ウェブセッションクッキーの盗難 説明: ブラウザからアクティブなウェブセッションクッキーを取得する。”] class tech_T1539 technique tech_T1134_003[“手法 – T1134.003 アクセストークンの操作 説明: 認証トークンを盗むまたは偽装する。”] class tech_T1134_003 technique action_c2_exfil[“アクション – ウェブベースC2を介してデータを流出させる”] class action_c2_exfil action tech_T1071_001[“手法 – T1071.001 アプリケーションレイヤープロトコル: ウェブプロトコル 説明: 標準的なウェブトラフィックを使用してコマンドと制御を行う。”] class tech_T1071_001 technique tech_T1102[“手法 – T1102 ウェブサービス 説明: データ流出のためにリモートサーバとウェブサービスを介して通信する。”] class tech_T1102 technique %% Connections mal_vvs_stealer u002du002d>|uses| tech_T1027 mal_vvs_stealer u002du002d>|packaged with| tool_pyinstaller mal_vvs_stealer u002du002d>|obfuscated with| tool_pyarmor mal_vvs_stealer u002du002d>|downloads| action_download_js action_download_js u002du002d>|uses| tech_T1027_006 action_download_js u002du002d>|uses| tech_T1505 action_download_js u002du002d>|establishes persistence via| action_persistence action_persistence u002du002d>|uses| tech_T1037_005 action_persistence u002du002d>|leverages| tech_T1547 action_persistence u002du002d>|displays| action_fake_error action_fake_error u002du002d>|uses| tech_T1562_011 action_fake_error u002du002d>|captures| action_screenshot action_screenshot u002du002d>|uses| tech_T1113 action_screenshot u002du002d>|harvests| action_browser_harvest action_browser_harvest u002du002d>|uses| tech_T1555_003 action_browser_harvest u002du002d>|targets Discord and injects JS| action_discord_hijack action_discord_hijack u002du002d>|uses| tech_T1539 action_discord_hijack u002du002d>|uses| tech_T1134_003 action_discord_hijack u002du002d>|exfiltrates via| action_c2_exfil action_c2_exfil u002du002d>|uses| tech_T1071_001 action_c2_exfil u002du002d>|uses| tech_T1102 “

攻撃フロー

攻撃の説明およびコマンド:
攻撃者は、Windowsワークステーションで低権限ユーザーアカウントを侵害しました。PowerShellドロッパーを使用して、PyInstallerでパッケージ化された悪意のある実行ファイル（VVS_Stealer.exe）を起動し、まずコマンドラインに“PyInstaller”を含むプロセスを生成します。このペイロードは、その後トークンスティーリングの注入ステージに備えて実行中のDiscordクライアントを強制終了します。すべてのアクションは現在のユーザーコンテキストの下で行われ、一つの プロセス生成 イベントがルールの基準に一致する形で生成されます。

ステップバイステップ:
1. 悪意のあるPyInstallerバンドルを %TEMP%.
2. にコピーします。
3. “PyInstaller”という言葉を明示的に含むコマンドラインでそれを実行します。 その悪意のあるバイナリは内部的に その悪意のあるバイナリは内部的に
4. を呼び出してDiscordを終了します。 プロセス生成 終了は、 イメージ フィールドがDiscordの実行ファイルパス（C:Users<user>AppDataLocalDiscordapp-... Discord.exe）に解決され、元の生成コマンドラインが“PyInstaller”を依然として含んでいる

イベントを生成します。 回帰テストスクリプト: notepad.exe プロセスを起動しますが、 PyInstallerでパッケージ化された実行ファイルである かのように振る舞い、コマンドラインにキーワードを埋め込みます。また、Discordプロセスを終了して“Image endswith Discord.exe”という条件を模倣します。

# -------------------------------------------------
# シミュレーションスクリプト – Sigmaルール #f63685c4-feea-431b-a749-55cf8661e6ac をトリガー
# -------------------------------------------------

# 1. Discordが実行中であることを確認します（オプション、停止を保証するために）。
$discordPath = "$env:LOCALAPPDATADiscordapp-1.0.9005Discord.exe"
if (-Not (Get-Process -Name "Discord" -ErrorAction SilentlyContinue)) {
    Start-Process -FilePath $discordPath -WindowStyle Hidden
    Start-Sleep -Seconds 5
}

# 2. コマンドラインに「PyInstaller」を含むダミープロセスを起動します。
#    無害なプレースホルダとして、notepad.exeを使用。
$dummyCmd = "C:WindowsSystem32notepad.exe"
$cmdLine = "PyInstaller_dummy_execution -run $dummyCmd"
Start-Process -FilePath $dummyCmd -ArgumentList $cmdLine -WindowStyle Hidden
Write-Host "[+] PyInstallerキーワードを含むダミープロセスを起動しました。"

# 3. Discordをすぐに終了してDiscord.exeイメージイベントを生成します。
if (Get-Process -Name "Discord" -ErrorAction SilentlyContinue) {
    Stop-Process -Name "Discord" -Force
    Write-Host "[+] Discord.exeを終了しました。"
}

# 4. オプション: 短時間後にダミーのノートパッドウィンドウをクリーンアップします。
Start-Sleep -Seconds 8
Get-Process -Name "notepad" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[+] クリーンアップ完了。"

クリーンアップコマンド: 以下のPowerShellスクリプトは、検出ルールを発動するために必要な正確なテレメトリを再現します。これは意図的に本物の悪意のあるペイロードを避け、代わりに無害な
```
残存プロセスが残っていないことを確認します。
```

SOC PrimeのDetection as Codeプラットフォームに参加し ビジネスに最も関連性のある脅威に対する可視性を向上させましょう。開始して即座に価値をもたらすためには、今すぐSOC Primeの専門家とのミーティングを予約してください。

無料で参加

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.