A newly identified malware called Yunit Stealer has surfaced, posing a serious threat to the security of Windows devices.
This sophisticated malware not only steals sensitive information like passwords and credit card details but also disables antivirus software, allowing it to remain undetected.
What makes Yunit Stealer particularly dangerous is its ability to add itself to Windows Defender’s exclusion list, effectively neutralizing the system’s built-in security measures.
This has the potential to cause significant damage to both personal and corporate systems.
How Yunit Stealer Works?
Cybersecurity researchers from CYFIRMA recently conducted a detailed analysis of Yunit Stealer, revealing the malware’s sophisticated methods of infiltration and persistence.
The malware primarily utilises JavaScript to perform a wide range of malicious activities, including retrieving system information, executing commands, and sending HTTP requests.
Yunit Stealer can embed itself deeply into the system by modifying the Windows Registry, adding tasks through batch files and VBScript, and more worryingly, setting exclusions in Windows Defender.
This clever manipulation allows the malware to operate in the background without raising alarms, making it difficult to detect and remove.
By disabling Windows Defender and other security measures, Yunit Stealer can secure its place on the device and continue to exfiltrate information over an extended period.
Targeting Sensitive Data
Yunit Stealer’s primary objective is to collect as much sensitive information as possible. Like many other infostealers, it focuses on gathering data stored in web browsers, including:
- Passwords
- Cookies
- Autofill information
- Credit card details
- Cryptocurrency wallet data
Once it has harvested this information, the malware sends the data to its operators through various channels.
CYFIRMA’s research shows that Yunit Stealer prefers encrypted communication methods such as Discord webhooks and Telegram channels, ensuring the data is transferred securely and discreetly.
The information can also be uploaded to a remote server, where the cybercriminals can access it via a download link.
The link may even include screenshots taken from the infected device, offering further insights to the attackers.
This level of precision enables Yunit Stealer to exfiltrate data without drawing attention, making it a particularly challenging threat for cybersecurity teams.
Threat Actors and Evasion Techniques
The origins of Yunit Stealer are still under investigation, but it seems to be relatively new on the malware landscape.
CYFIRMA reported that a Telegram channel associated with the malware was created on August 31, 2024, and currently has only 12 subscribers.
The Discord account linked to Yunit Stealer is currently inactive, but the threat actors are likely using encrypted channels to maintain anonymity and evade detection.
What sets Yunit Stealer apart from many other malware types is its focus on persistence and stealth.
By disabling security tools and hiding in plain sight, Yunit Stealer could remain on an infected device for an extended period, continuing to steal valuable data.
Staying Safe from Yunit Stealer
To safeguard against Yunit Stealer, users are advised to take proactive measures:
- Keep your systems updated: Regularly updating your operating system and software can protect against known vulnerabilities that Yunit Stealer might exploit.
- Use reliable antivirus software: Even though Yunit Stealer can disable some antivirus programs, using a reputable and regularly updated security solution adds an additional layer of protection.
- Avoid suspicious links and downloads: Phishing attacks are often the entry point for malware infections. Be cautious when opening email attachments or clicking on unfamiliar links.
- Monitor your accounts: Regularly check for unusual activity in your online accounts, especially those storing sensitive data like passwords and credit card details.