A new wave of Windows malware, dubbed NWHStealer, is actively infecting users by masquerading as legitimate software downloads, including fake Proton VPN sites, popular gaming mods, and hardware utility tools. Cybersecurity researchers at Malwarebytes have identified and are tracking multiple campaigns leveraging these deceptive tactics to distribute the information-stealing malware.
Unlike traditional phishing attacks that rely on unsolicited emails, NWHStealer embeds itself within files users actively seek out and download. This sophisticated approach makes the malware significantly harder to detect and avoid, posing a substantial threat to unsuspecting Windows users globally. The attackers are utilizing a broad range of platforms for distribution, from code repositories to file-sharing sites and even video descriptions.
The infection mechanism employed by NWHStealer is layered and designed to evade security software at multiple stages. Researchers observed that the malware can be loaded through self-injection or by injecting its malicious code into legitimate Windows processes such as RegAsm.exe, Microsoft’s Assembly Registration Tool. Additional wrappers, including MSI packages and Node.js, are frequently used as the initial loader before the final NWHStealer payload is delivered to the victim’s system.
Inside the NWHStealer Infection Mechanism
The initial infection vector often begins with seemingly harmless executable files disguised as useful software. In one observed scenario, the malware was embedded directly within a legitimate-looking executable, such as HardwareVisualizer.exe. Upon execution, this loader performs several critical actions. It first checks for signs of analysis tools and terminates if detected. It then utilizes a custom decryption function to process strings and resolves Windows API functions through LoadLibraryA and GetProcAddress. Finally, it decrypts and loads the next stage of the payload using AES-CBC encryption via BCrypt APIs. This initial loader also incorporates junk code to deliberately slow down analysis and confuse automated security tools, adding a layer of obfuscation.
Another prevalent distribution method involves fake Proton VPN websites that facilitate infection through DLL hijacking. In these cases, a file that appears to be a WinRAR executable contains a malicious library named WindowsCodecs.dll. This library decrypts two embedded resources, one of which is a secondary DLL, runpeNew.dll. This second-stage DLL then performs process hollowing, injecting the final NWHStealer payload into a running Windows process, such as RegAsm.exe, by utilizing low-level APIs like NtProtectVirtualMemory and NtAllocateVirtualMemory. This technique allows the malware to operate from within a trusted process, further evading detection.
Once the NWHStealer payload is successfully injected into a system process, it takes further steps to establish persistence and steal sensitive data. The malware employs PowerShell to create hidden directories within the user’s LOCALAPPDATA. To ensure its continued operation and prevent removal, it adds these newly created directories to Windows Defender exclusions and forces a Group Policy update to solidify these changes. Furthermore, scheduled tasks are created to ensure the payload runs automatically at user logon with elevated privileges, granting the malware a durable foothold on the compromised system.
To bypass User Account Control (UAC) prompts, NWHStealer utilizes a known CMSTP UAC bypass technique. This involves generating a random .inf file in the temporary folder and then using the legitimate cmstp.exe tool to elevate privileges without triggering a visible UAC prompt to the user. This stealthy elevation allows the malware to perform critical actions on the system without raising suspicion.
The ultimate goal of NWHStealer is to exfiltrate sensitive information. The malware enumerates over 25 folders and registry keys associated with cryptocurrency wallets. It also targets popular web browsers, including Edge, Chrome, Opera, Brave, Chromium, and Firefox, to extract saved credentials, session data, and other sensitive browser information. Stolen data is encrypted using AES-CBC before being transmitted to the attacker’s command-and-control (C2) server. In instances where the primary C2 server becomes unavailable, the malware is equipped with a fallback mechanism: it retrieves a fresh C2 domain through a Telegram-based dead drop resolver. This ensures the malware’s operational continuity even if its infrastructure needs to change.
The widespread nature of the distribution methods, including the use of a free web hosting provider within the top 100,000 websites globally (onworks[.]net) which hosted malicious ZIP archives, highlights the broad reach of this campaign. Files like HardwareVisualizer_1.3.1.zip and Sidebar Diagnostics-3.6.5.zip, appearing entirely legitimate, contain embedded malicious code that initiates the infection chain upon execution of the contained file.
To mitigate the risk of falling victim to such sophisticated malware campaigns like NWHStealer, users are strongly advised to exercise extreme caution when downloading software. It is paramount to download applications exclusively from official, verified websites and to avoid using third-party download mirrors. Users should also be particularly wary of files sourced from platforms like GitHub, SourceForge, or general file-sharing sites, ensuring the publisher is fully trusted and verified. Always verify the integrity and authenticity of downloaded executable files by checking their digital signatures and publisher details before execution. Furthermore, avoid downloading tools or software through links found in YouTube video descriptions or comments, as these are common vectors for malware distribution. Finally, always verify the integrity of compressed archives by checking the signature and version information of any software they contain before extraction.
The ongoing nature of these NWHStealer campaigns and the evolving tactics employed by threat actors suggest that users should remain vigilant. Future developments will likely involve continued refinement of evasion techniques and the discovery of new distribution channels. Staying informed about emerging threats and adhering to rigorous cybersecurity practices are crucial for protecting personal and sensitive data from evolving malware threats.