uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-05-27 23:43:56

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Targeting web browsers & crypto wallets, new stealthy bandit thief

Security researchers are paying attention to a new stealthy information thief malware called Bandit Stealer because it can target a variety of web browsers and cryptocurrency wallets.

Bandit Stealer was created using the Go programming language, which might enable cross-platform compatibility, according to a report released on Friday by Trend Micro.

Utilizing the legitimate command-line tool runas, the malware is currently concentrated on attacking Windows systems. exe that enables users to run programs under a different user's account with different permissions.

The intention is to increase privileges and run the program with administrative access so that it can effectively get around security measures and collect huge amounts of data.

However, in order to run the malware binary as an administrator, one must first provide the required credentials due to Microsoft's access control mitigations to prevent unauthorized execution of the tool.


By utilizing runas.
exe command, users can run programs as an administrator or any other user account with the necessary privileges, providing a more secure environment for running crucial applications or carrying out system-level tasks," Trend Micro said.

The current user account may not have the necessary permissions to run a particular command or program, which is when this utility is most helpful. ".

In order to hide its presence on the compromised system, Bandit Stealer terminates a list of blocklisted processes and incorporates checks to see if it is running in a sandbox or virtual environment.

Before starting its data collection activities, which include gathering personal and financial data stored in web browsers and cryptocurrency wallets, it also establishes persistence by making changes to the Windows Registry.

According to reports, Bandit Stealer is spread through phishing emails that include a dropper file that opens a seemingly innocent Microsoft Word attachment to divert attention while simultaneously starting the infection.

In order to trick users into running the embedded malware, Trend Micro claimed to have found a fake installer for Heart Sender, a service that automates the process of sending spam emails and SMS messages to many recipients.

The news comes after a cybersecurity company discovered a Rust-based information thief targeting Windows that uses a GitHub Codespaces webhook under the attacker's control as an exfiltration channel to steal a victim's web browser credentials, credit card information, cryptocurrency wallets, and Steam and Discord tokens.

By altering the installed Discord client to inject JavaScript code intended to collect information from the application, the malware, using a relatively uncommon tactic, maintains persistence on the system.

The discoveries come in the wake of the appearance of several commodity-stealing malware strains, including Luca, StrelaStealer, DarkCloud, WhiteSnake, and Invicta Stealer, some of which have been seen spreading through spam emails and fake versions of well-known programs.

The use of YouTube videos to promote pirated software through hacked channels with millions of subscribers is another noteworthy trend.

Data collected from thieves can be used by operators for a variety of purposes, including identity theft, monetary gain, data breaches, credential stuffing attacks, and account takeovers.

Aside from being sold to other parties, the stolen data can also be used as the basis for additional attacks, such as ransomware or extortion attempts or targeted marketing campaigns.

These developments show how stealth malware is developing into a more dangerous threat just as the malware-as-a-service (MaaS) market makes it easier for would-be cybercriminals to get started and makes it more accessible.

According to data gathered by Secureworks' Counter Threat Unit (CTU), there is a "thriving infostealer market," with the amount of stolen logs appearing on darknet markets like Russian Market increasing by 670 percent between June 2021 and May 2023.

Russian Market, which is ten times more than its closest forum competitor 2easy, offers five million logs for sale, according to the business.

Among Russian cybercriminals, the Russian Market is well-established, and threat actors from all over the world frequently use it. Recently, three new thieves' logs were added to Russian Market, indicating that the website is actively adjusting to the rapidly shifting e-crime landscape. ".

Despite its growing sophistication, the MaaS ecosystem has also been in flux, with threat actors selling their warez on Telegram as a result of law enforcement actions.

According to Don Smith, vice president of Secureworks CTU, "What we are seeing is an entire underground economy and supporting infrastructure built around infostealers, making it not only possible but also potentially profitable for relatively low skilled threat actors to get involved.".

Cybercriminals are skilled at reshaping their routes to market, despite coordinated global action by law enforcement having some effect. ".

Offline

Board footer

Powered by FluxBB