The cybersecurity landscape has recently seen the emergence of SHUYAL, a sophisticated new information stealer. This malware demonstrates an unprecedented scope in its credential harvesting capabilities, posing a significant threat.
SHUYAL is designed to target login credentials from 19 distinct web browsers. Its reach extends from widely used applications such as Google Chrome and Microsoft Edge to privacy-focused alternatives like Tor and Epic.This comprehensive targeting strategy renders SHUYAL particularly dangerous, as it can compromise user credentials irrespective of their preferred browser.
The stealer operates via a multi-stage attack vector. This process commences with system reconnaissance, subsequently progressing to the extraction of credentials and culminating in data exfiltration. To maintain its clandestine operations, SHUYAL employs advanced evasion techniques, including the automatic disabling of Windows Task Manager and sophisticated anti-detection mechanisms.
The malware establishes persistence by copying itself to the Windows Startup folder, leveraging the CopyFileA function to guarantee automatic execution upon system restart.This persistence mechanism is further augmented by aggressive anti-analysis features that actively interfere with security tools and system monitoring.
A particularly notable evasion tactic involves the systematic targeting of Windows Task Manager. Upon execution, SHUYAL enumerates running processes to locate taskmgr.exe and proceeds to terminate it and modify the registry value DisableTaskMgr to 1, effectively preventing users from launching Task Manager to investigate suspicious system activity.
Extensive system reconnaissance is performed by SHUYAL through Windows Management Instrumentation (WMI) commands. This enables the malware to gather detailed information concerning disk drives, input devices, and display configurations.
The credential extraction process employs a sophisticated SQL query: SELECT origin_url, username_value, password_value FROM logins, which is executed directly against browser databases.
Stored passwords are then decrypted by the malware through a multi-step procedure: extracting the Master key from browser Local State files, base64-decoding this key, and finally utilizing the Windows Data Protection API (DPAPI) via CryptUnprotectData for the decryption operations.