Delaware, USA – December 2, 2019 – New malware collects credentials saved in the Google Chrome and abuses MongoDB instead of connecting to command-and-control infrastructure. CStealer is a simple trojan discovered by MalwareHunterTeam and analyzed by security researcher @James_inthe_box. What makes it special is the way of exfiltrating stolen information: the malware leverages hardcoded credentials and misuses MongoDB C Driver connecting to the MongoDB database and saving passwords. Taking off the table the use of command-and-control servers has both obvious advantages and disadvantages. Security solutions are unlikely to mark such traffic as suspicious, but as a result of malware analysis, anyone (a security researcher or a cybercriminal) can gain access to the database containing stolen information.
CStealer trojan is not a very serious threat, and there are thousands of other malware families that have wider functionality, but the fact that traffic to MongoDB databases can be malicious is disappointing. More advanced cybercriminal groups can also take on this idea for quick credentials collection operations. You can use Netflow Security Monitor rule pack to enable real-time traffic profiling and help your security solution to discover volume-based data leakage or attacks without signatures: https://my.socprime.com/en/integrations/netflow-security-monitor