Listen to this Post
:
In a recent post on the Russian-language dark web forum Exploit.in, a new version of the Prysmax information-stealing malware (v1.0.2) was unveiled, boasting sophisticated evasion tactics and integration with underground marketplaces. This latest iteration represents a significant evolution in cybercriminal tools, moving from Python to Rust to bypass antivirus detection, expand its capabilities, and penetrate deeper into various online ecosystems. The malware’s shift to a more advanced architecture signals a growing trend in cybercrime sophistication, where actors continuously refine their strategies to increase efficiency and scale.
Summary:
The newly released Prysmax v1.0.2, now based on Rust, showcases improvements in execution speed, evasion tactics, and integration with underground log marketplaces. It claims to bypass 95% of antivirus detection and targets a wide range of assets, including passwords, cryptocurrency wallets, and browser cookies. The malware’s key innovation lies in its ability to automate credential harvesting from over 40 Chromium-based browsers and 70 cryptocurrency extensions, with a particular focus on Ethereum and Bitcoin wallets. Additionally, its integration with Telegram bots for communication and data exfiltration follows similar trends seen in other recent stealers. With a Malware-as-a-Service model, Prysmax is sold on dark web platforms, where stolen data is cataloged and sold. To counter this, cybersecurity teams must adopt behavioral analytics and proactive defensive measures, such as isolating cryptocurrency transactions and enforcing multi-factor authentication (MFA).
What Undercode Says:
The emergence of Prysmax v1.0.2 highlights a significant shift in the landscape of cybercrime. Traditionally, many information-stealing malware variants relied on easily detectable languages like Python, but the migration to Rust signifies a leap forward in sophistication. Rust’s memory safety and performance enhancements make it an ideal language for malicious actors seeking to avoid detection, increase execution speed, and complicate reverse engineering efforts. The adoption of this language, alongside improvements in code obfuscation, is a clear indicator that threat actors are refining their tactics to outpace security measures.
One of the most notable features of Prysmax v1.0.2 is its claim to bypass 95% of antivirus solutions. This is no small feat, as it demonstrates that the malware is not only evolving in terms of code complexity but also adapting to the increasing sophistication of defensive measures. The focus on bypassing detection systems underscores the growing emphasis on stealth in the cybercrime world. By utilizing techniques like manipulating Windows Defender settings and disabling real-time protection, Prysmax operators are ensuring that the malware operates undetected for longer periods, which is crucial for exfiltrating valuable data.
The integration of Prysmax with Telegram bots for command and control (C2) communication and data exfiltration further showcases the malware’s sophistication. Telegram, being a widely used messaging app, provides a convenient and secure communication channel for malware operators. The use of this platform also highlights the convergence of tactics seen in other modern stealers like Fickle Stealer and Mystic Stealer. This trend points to a growing reliance on established tools and platforms to streamline operations and reduce the chances of detection.
Another significant shift in Prysmax v1.0.2 is its expanded target scope. Whereas earlier versions of the malware primarily focused on stealing Ethereum and Bitcoin wallets, the new iteration casts a wider net, targeting over 70 cryptocurrency extensions and 40+ Chromium-based browsers. This increase in targets shows that Prysmax is evolving alongside the growing use of cryptocurrency and the increasing number of users relying on browser-based wallets. The malware’s focus on stealing not only passwords but also cryptocurrency assets and browser cookies further emphasizes the importance of securing digital identities and wallets in today’s interconnected world.
The Malware-as-a-Service (MaaS) model adopted by the Prysmax operators is another critical aspect of its evolution. Since 2022, they have been offering their malware tool to others, creating a thriving underground marketplace where stolen credentials are bought and sold. This MaaS model is a growing trend in cybercrime, making sophisticated malware more accessible to even those with limited technical expertise. The marketplace integration of Prysmax is particularly noteworthy, as it reflects the ongoing professionalization of cybercrime operations. The sale of stolen data in these underground markets is becoming increasingly lucrative, with logs fetching anywhere from $2 to $500 depending on their quality. This commodification of stolen credentials underscores the economic drivers of modern cybercrime, where actors are incentivized to continuously refine their tools and expand their victim pool.
The significant increase in stolen logs available on marketplaces like 2easy and Russian Market highlights the scale at which information stealers like Prysmax are operating. As observed in 2023 and 2024, the inventory of stolen data in these markets grew by a staggering 670%, driven by the activities of malware like Raccoon, RedLine, and Vidar. This trend demonstrates that Prysmax is part of a larger, systemic shift in cybercrime where malware variants are becoming more modular, sophisticated, and interconnected.
From a defensive perspective, organizations must be vigilant in adapting to the changing tactics, techniques, and procedures (TTPs) employed by Prysmax. Signature-based detection is increasingly ineffective, as evidenced by the malware’s high evasion rates. Instead, cybersecurity teams must rely on behavioral analytics, which can identify anomalous activity patterns that indicate a breach. Key detection points, such as abnormal PowerShell execution and registry modifications that disable firewall profiles, should be closely monitored. The deployment of Sigma rules targeting specific processes and events tied to UUID enumeration and Windows Defender preferences can also enhance detection capabilities.
Moreover, organizations should consider proactive defensive measures such as isolating cryptocurrency transactions via hardware wallets and enforcing multi-factor authentication (MFA) for password managers. As Prysmax has shown, it is crucial to secure both digital identities and the systems that store them. With the rising tide of targeted attacks against cryptocurrency holders, these measures become essential to safeguarding financial assets from increasingly sophisticated malware.
In conclusion, Prysmax v1.0.2 exemplifies the ongoing evolution of cybercrime, where threat actors continually refine their tactics to stay one step ahead of defenders. Its adoption of Rust, expansion of target platforms, and integration with dark web marketplaces signal a new era of information-stealing malware that organizations must be prepared to combat. By embracing behavioral analytics, proactive defenses, and monitoring the underground ecosystem, cybersecurity professionals can better equip themselves to defend against the growing threat posed by Prysmax and similar malware.
References:
Reported By: https://cyberpress.org/prysmax-stealer-v1-0-2/
https://stackoverflow.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
