Note: This article is for informational and educational purposes only. The development, distribution, or use of malware is illegal and punishable by law.

Commercial Trojans for Sale: Exploring the Underground Malware Market

Ostap Bender once claimed to know at least four hundred relatively honest ways to take money from the public. It’s safe to say that today’s cybercriminals have far surpassed the Great Combinator in their skills. Many operate on the edge of outright crime, and some have crossed that line. Some spam, some scam, some write trojans in their spare time, and others sell them online.

Among commercial trojans, stealers and similar spyware occupy a special niche. It’s no surprise—other people’s secrets have always been valuable. Today, we’ll discuss trojan stealers available for open purchase, their features, capabilities, and ways to combat this global threat. Let’s get started.

N0F1L3

This stealer, with its hard-to-pronounce name, was actively sold online until law enforcement took an interest in its author. The first version was written in .NET, and the second, N0F1L3v2, in C#. The trojan specialized in stealing passwords from browsers like Chrome, Opera, Yandex, Torch, Amiga, Cometa, and Orbitum.

N0F1L3 was sold on several forums at modest prices: $15 and $45 for different versions, with the source code going for $600. The first release required .NET 2.0, used the sqlite3.dll library, and dropped the necessary file to disk based on the Windows architecture. Stolen passwords were saved in an HTML-formatted text file on the infected machine and then uploaded to a server.

The second version had no dependencies, theoretically allowing it to run on a clean system. It also added the ability to steal data from Firefox. The stealer collected cookies, autofill data, and passwords from browsers, copied files with .doc, .docx, .txt, and .log extensions from the desktop, and stole FileZilla FTP client files. It also targeted cryptocurrency wallets (BTC, BCN, DSH, ETH, LTC, XMR, ZEC), storing everything in local folders before uploading it as an archive to a command server.

N0F1L3 came with a PHP-based admin panel for viewing statistics and logs. The author also offered related services: updates, support for new browsers, and technical assistance. The stealer was soon resold on many platforms, and after the author’s legal troubles, it was released publicly. Its source code and builds can still be found on various forums.

Detection Methods

• All versions and modifications of N0F1L3 are well-detected by antivirus software.
• The earlier version saves stolen data to %LOCALAPPDATA%\f.txt.
• N0F1L3v2 creates folders in %TEMP% named Browsers, Wallets, Files, and Directory, containing files like Passwords.txt, Cookie.txt, CC.txt, and Autofill.txt.
• N0F1L3 does not hide itself, making detection straightforward.

Kratos

Another stealer from the same author, likely named after the God of War character. Kratos was almost entirely rewritten in C++, with many functions starting with anti-debugging assembly code that checks the BeingDebugged flag in the PEB structure. If the trojan detects it’s running under a debugger, it terminates itself.

In addition to previous features, Kratos can take screenshots (saved as %TEMP%\screenshot.bmp) and copy files from the Telegram Desktop client folder. It also checks the registry for Steam and, if found, steals configuration files. All stolen data is archived and sent to the command server via a POST request.

Kratos used an admin panel similar to N0F1L3. The developer sold it for about 5,000 rubles, but it was quickly resold for as little as 1,500 rubles or even for likes and reviews. After the author was doxxed, Kratos was released for free and spread widely online.

Detection Methods

• Antivirus software easily detects Kratos.
• Look for the same folders in %TEMP% as N0F1L3, plus Telegram and Steam directories.

AZORult

AZORult is a well-known commercial stealer with a wide range of features. It can steal saved passwords, form data, and cookies from 33 browsers. The admin panel includes a converter for viewing cookies in JSON format.

AZORult can extract passwords from Outlook and Thunderbird, FTP clients (FileZilla, WinSCP), IM clients (Pidgin, Psi/Psi+), Skype chat logs, Telegram session IDs, and Steam files. It can steal wallets for 38 cryptocurrencies. It can also search for files by name, size, or mask, collect system and hardware info (including geolocation, installed apps, and running processes), and download and execute files from the command server. It can self-delete after sending a report if enabled in the admin panel and supports .bit domains. The executable is about 110 KB uncompressed, shrinking to 40 KB when packed. The price was $100.

In October, the author released an update allowing AZORult to be packed into Word or Excel documents, infecting users who open them. In early 2019, it was also spread disguised as a Google Update utility, signed with a valid certificate.

Detection Methods

• The command server address is stored encrypted in the stealer’s body (Base64 with a custom dictionary and RC4).
• AZORult uses sockets for server communication, with data obfuscated.
• It stores downloaded libraries in %appdata%\1Mo\, which is a key sign of infection.
• Antivirus detection varies due to frequent repacking and builder use.

Eredel

Eredel is a commercial stealer written in C# with standard features: stealing cookies and passwords from Chromium-based browsers, taking screenshots, copying files from FileZilla and Telegram folders, and grabbing images, archives, and documents left on the desktop. It’s managed via a web admin panel and features a special Telegram bot for configuration. Eredel sells for about 2,500 rubles.

Detection Methods

• Eredel is well-detected by popular antivirus software.
• It creates a %TEMP% folder with a hexadecimal name (e.g., 0deb54d04c2140bb95d9d3f4919184aa), containing screen.jpg and folders named desktop and cookies.
• To remove, start by clearing temporary directories.

Kpot

Kpot is a small, non-resident trojan (under 90 KB uncompressed), written in C/C++ with anti-debugging assembly code, similar to Kratos. It can take screenshots, steal cookies, passwords, and autofill data from Chromium- and Mozilla-based browsers, and extract stored credentials from MSIE 6–11. For Mozilla, it parses key3.db and signons.sqlite using TinySQL.

Kpot can steal Bitcoin, Namecoin, Monero, Electrum, Ethereum, and Bytecoin wallets, accounts from Psi, Psi+, and Pidgin, Skype chat logs, Telegram session files, Discord and Battle.Net session files, Steam files, and FTP credentials from FileZilla, WinSCP, wsFtp, and Total Commander. It can search for files by name, size, and mask on both local and network drives. All stolen data is archived as .cab and uploaded to the command server.

The developer enabled loading and running executables via loadpe. On 32-bit Windows, it runs in the calling process; on 64-bit, it injects into cmd.exe. After launch, it sends system info to the server. Kpot is managed via a web panel and sold for $65. It does not work in CIS countries, likely to avoid legal trouble, though this is not always effective.

Detection Methods

• Kpot creates many files in %TEMP% with ten-digit names, then deletes them.
• Manual detection is difficult, but its activity can be seen in network traffic analyzers.
• One common C&C address: seeyouonlineservice.com.

Arkei

Arkei is one of the most widespread commercial stealers. The executable is only 96 KB and offers standard features: sending system info to the server, copying desktop files, taking screenshots, collecting saved forms, logins, passwords, browser history, cookies (supports 16 browsers), stealing Bitcoin and Ethereum wallets, FileZilla data, and downloading/executing files on command (with autorun registry modification).

Arkei comes with a web admin panel and was sold for 3,000 rubles. As of February 2019, it stopped updating, but the project continues as a private stealer.

Detection Methods

• Arkei copies its executable to Local Settings\Temp of the current user.
• Stolen data is saved in %PROGRAMDATA% in a folder with a 14-character name, with a nested \files\ directory containing text files with passwords, browser history, cookies, etc.
• Detected by most antivirus software, often by its packer.

Pony

Pony is less popular among malware authors, though recently a developer creating admin panels for it was arrested. Pony’s source code can be found on GitHub. It can steal data from Chromium- and Mozilla-based browsers, dozens of FTP clients, and email clients like PocoMail, IncrediMail, The Bat!, Outlook, and Thunderbird. It also targets popular cryptocurrency wallets.

Detection Methods

• Pony is well-known and detected by antivirus software.
• Its public availability means little privacy for users or operators.

Predator The Thief

This stealer, weighing about 430 KB, sells for 2,000 rubles. The package includes the trojan build, admin panel, setup manual, warranty card, and even headphones. In addition to standard features (screenshots, stealing forms, passwords, browser history, desktop and FTP files, Telegram sessions), Predator can capture images from the infected device’s webcam—a unique feature for those wanting to spy on someone.

Detection Methods

• Many Predator variants exist, most detected by modern antivirus software.
• On launch, it creates a file with a long hexadecimal name in C:\Documents and Settings\<USER>\Application Data\ and runs it via schtasks.exe.
• Stolen data is stored in %APPDATA%\roaming\ptst\.

Conclusion

To paraphrase a classic, all commercial stealers are similar, but each works in its own way. The variety is vast, so those engaged in computer espionage can always find something to their taste. However, it’s crucial to remember that developing, distributing, or using malware is a criminal offense with severe legal consequences. Some only realize this when it’s already too late.