The IT Nerd

A new malware called Raven Stealer has emerged and started targeting users of Chromium-based browsers, such as Google Chrome and Microsoft Edge. This malware is designed to harvest credentials and other sensitive information, cybersecurity researchers warn.

According to a blog post published by a team that discovered the infostealer, it spreads through underground forums and cracked software (phishing emails) and has a unique exfiltration method through the Telegram chat app.

Once installed, Raven Stealer accesses local storage paths and credential vaults on browsers to locate encryption keys. It leverages native Windows API calls to decrypt and extract saved data. The stealer’s primary target is browser-based authentication data, including saved passwords and session cookies, but it also gathers autofill entries, payment data, browsing history, and other data types. After the job is done, text files are stored in the .zip folder and sent to the attacker’s Telegram channel. 

Karolis Arbaciausias, head of product at NordPass, comments:

“The emergence of Raven Stealer is a significant concern. This malware is particularly insidious because it silently targets the data people believe is encrypted and safe within their browsers. Raven Stealer is specifically engineered to search for stored credentials and encryption keys, making the browser’s vault a primary target and a weakness. Raven Stealer’s unique Telegram exfiltration makes detection challenging. Sending information through encrypted messaging channels lets it bypass many conventional security filters. Moreover, this malware is also capable of bypassing many corporate network filters.

“For individuals, probably the simplest and fastest way of dealing with this new threat is a dedicated password manager, which acts as an isolated, encrypted box for credentials and other data. It ensures that even if your browser is compromised, your actual passwords and session cookies remain secure and out of reach.”

To protect against Raven Stealer and other similar threats, Arbaciauskas also advises to:

• Enable multi-factor Authentication (MFA) everywhere because it acts as a vital second line of defense, preventing unauthorized access.
• Avoid using cracked software because it’s dangerous. Only download software from official, trusted sources.
• Carefully scrutinize all emails, especially those with links or attachments. Malware like Raven Stealer often spreads through phishing. Never click on suspicious links or open unexpected attachments, even if they appear to come from a known sender. Remember – if a deal seems too good to be true, it likely is.
• Keep software updated because updates often include critical security patches that protect against known vulnerabilities and exploits.

For companies, centralized password and access rights management is essential. Besides that, Arbaciauskas recommends that you:

• Apply application whitelisting and software restriction policies to ensure that employees only have access to trusted download sources and that only approved applications can run on corporate endpoints.
• Make MFA mandatory for all corporate applications, VPNs, cloud services, and employee accounts. 
• Conduct regular cybersecurity training.
• Maintain an expedited patch management program for all operating systems, browsers, and critical applications.
• Segment your network and implement the principle of least privilege for user accounts and applications, restricting their ability to access or modify sensitive data.
• Deploy Data Loss Prevention (DLP) solutions to monitor and prevent unauthorized exfiltration of sensitive company data.
• Regularly back up your data and ensure that backups are stored securely offline.
• Have an incident response plan ready.