uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,068

Newly discovered Windows-based third-eye malware steals sensitive data

ThirdEye, a previously unknown Windows-based information thief with the ability to gather private information from infected hosts, has been found in the wild.

The malware was found, according to Fortinet FortiGuard Labs, in an executable that had the ruse name "CMK равила оормлени олнин листов" and appeared to be a PDF file.
pdf.
exe," which is an acronym for "CMK Rules for Issuing Sick Leaves.
pdf.
exe.
".

Although the malware's entry point is currently unknown, the nature of the lure suggests that a phishing campaign may have used it. The first ThirdEye sample, which had comparatively fewer features, was uploaded to VirusTotal on April 4, 2023.

The evolving stealer, like other malware families of its kind, is capable of gathering system metadata, including volume information, the total and free disk space on the C drive, the total and free space used by processes currently running on the system, the usernames registered on the system, the date and vendor of the BIOS, and more. The gathered information is then sent to a command-and-control (C2) server.

The malware's notable characteristic is that it beacons its presence to the C2 server using the string "3rd_eye.".

No evidence has been found that ThirdEye has been used in the wild. Having said that, it's likely that the malicious activity is directed at organizations that speak Russian given that the majority of the stealer artifacts uploaded to VirusTotal originated from that country.

According to Fortinet researchers, the malware is "not particularly sophisticated, but it is designed to steal various information from compromised machines that can be used as stepping-stones for subsequent attacks." They added that the data gathered is "valuable for understanding and narrowing down potential targets.". ".

The development occurs at the same time that cryptocurrency miners and Umbral, an open-source stealer written in C that exfiltrates data of interest using Discord Webhooks, are being spread via trojanized installers for the well-known Super Mario Bros video game franchise that are hosted on dubious torrent sites.

According to Cyble, "the combination of mining and stealing activities results in financial losses, a marked decline in the victim's system performance, and the depletion of valuable system resources.".

Information-stealing malware.

chain of infection from seroXen.
A remote access trojan called SeroXen and Python-based ransomware have also been found to target gamers. SeroXen has been found to use a commercial batch file obfuscation engine called ScrubCrypt (also known as BatCloak) to evade detection. There is proof that actors involved in SeroXen's development also worked on ScrubCrypt.

The malware has also been promoted on Discord, TikTok, Twitter, and YouTube.
It was first advertised for sale on a clearnet website that was registered on March 27, 2023, before it was shut down in late May. SeroXen has since made its way to illicit forums with a cracked version.

"People are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as "cheats," "hacks," "cracks," and other software related to gaining a competitive edge," Trend Micro noted in a recent analysis of SeroXen.

The development of low-barrier-to-entry FUD obfuscators is highlighted by the addition of SeroXen and BatCloak to the malware arsenal of malicious actors. By the standards of advanced threat actors, these developers are amateurs when it comes to using social media for aggressive promotion, especially given how easy it is to track them down. ".