Delphi, C++, and Boundless Audacity: Raven Stealer Turns Telegram into a Data Exfiltration Channel
Your antivirus stays silent while Raven Stealer is already siphoning your money.
Your antivirus stays silent while Raven Stealer is already siphoning your money.
Specialists from the Lat61 Threat Intelligence Team have presented a detailed analysis of the Raven Stealer malware—a lightweight and stealthy information stealer created in Delphi and C++. The report reveals its capabilities for stealing credentials and information from browsers, its methods for covertly transmitting stolen data via Telegram, and its distribution features through pirated software and underground channels.
Raven Stealer emerged as a new generation of data-stealing malware. Its key features are minimal user interaction, well-designed camouflage, and the instant transmission of stolen information through built-in Telegram integration. The malware can harvest account details from applications, extract passwords, cookies, browsing history, and autofill data from Chromium-based browsers. All of this is transmitted to the attacker in real-time, making the threat particularly dangerous for both home and corporate systems.
Distribution occurs through pirated software and shadow forums. Thanks to a built-in resource editor, threat actors can directly embed a configuration with Telegram tokens into the binary, simplifying operations even for less experienced operators. A user-friendly graphical interface is provided for configuration: the user enters a Chat ID and Bot Token, after which a generator embeds this data into the executable file. Each generated sample is assigned a random 12-character name, and the binary can be packed using UPX. This combination complicates static analysis and helps evade signature-based defenses.
Analysis of a sample revealed that the executables were compiled in Delphi and Visual C++, with the Telegram configuration parameters stored in plain text. Furthermore, a heavily obfuscated DLL module was discovered inside. This DLL is loaded into memory via the BeginUpdateResource API and is then used to inject code into a trusted browser process.
The injection mechanism relies on a reflective process hollowing method. For this, Chromium is launched in a suspended state, after which the decrypted module (protected by ChaCha20) is loaded into it. This approach allows the stealer to masquerade as a legitimate process and evade behavioral analysis. The collected data is written to the %Local%\RavenStealer directory. Text files are created there: cookies.txt, passwords.txt, and payment.txt, containing cookies, logins with passwords, and payment data. Additionally, a screenshot of the desktop is taken. All information is archived into admin_RavenStealer.zip and sent via the Telegram API. In the investigated case, the transfer was interrupted by a 404 error due to an incorrect token.
The analysis confirmed that Raven Stealer accesses the AES key in the Edge browser's Local State file to decrypt cookies and credentials. After successful processing, the information is saved as plain text files, making it easy for the threat actor to use them for session hijacking, account login, and fraudulent transactions.
To prevent infections, it is necessary to avoid downloading cracked applications, keep the system and software updated, monitor process activity and network connections—especially those related to the Telegram API. Solutions with behavioral analysis and real-time monitoring, capable of detecting suspicious encryption and process injections, are effective.
Raven Stealer is a dangerous example of a "commodity" info-stealer: easy to configure, stealthy, and capable of bypassing traditional security measures. Its flexible architecture and use of a messenger for data exfiltration make it a relevant threat for companies and private users alike, underscoring the need for multi-layered protection and vigilant monitoring of workstations.
