A previously undocumented Windows-based information stealer third eye A virus has actually been discovered with the ability to collect sensitive data from infected hosts.
According to Fortinet FortiGuard Labs, which made the discovery, the malware disguised itself as a PDF file with the Russian name “CMK Правила оформления больничных листов.pdf.exe” (literally translated as “CMK rules for issuing sick leave”). It was found in an executable file. pdf.exe”.
It is currently unknown how this malware arrived, but the nature of the decoy indicates that it is being used in phishing campaigns. The first of his ThirdEye samples was uploaded to VirusTotal on April 4, 2023, with relatively few features.
Similar to other malware families of its kind, this evolving stealer collects system metadata such as BIOS release date and vendor, C drive total/free disk space, currently running processes, registered usernames, and volume information. It has the ability to collect. The collected details are sent to a command and control (C2) server.
A notable feature of this malware is that it uses the string “3rd_eye” to announce its presence to the C2 server.
There is no indication that ThirdEye was actually used. That said, given that the majority of Stealer artifacts were uploaded to his VirusTotal from Russia, it’s more likely that the malicious activity is targeting Russian-speaking organizations.
“While the malware is not considered sophisticated, it is designed to steal a variety of information from compromised machines that can be used as a springboard for future attacks,” said Fortinet researchers. , added that the data collected is “invaluable in understanding and narrowing down potential targets.” “
The development involved a Trojanized installer for the popular Super Mario Bros. video game series hosted on a sketchy torrent site, written in C# that used cryptocurrency miners and Discord webhooks to exfiltrate targeted data. It was made while being used to proliferate an open source stealer called Umbral.
“The combination of mining and theft leads to financial loss, severely degraded victim system performance, and depletes valuable system resources,” Thybulle said.
 |
| SeroXen infection chain |
Video game users have also been targeted by Python-based ransomware and a remote access Trojan called SeroXen. The Trojan has been found to utilize a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. There is evidence that an attacker involved in the development of SeroXen also contributed to his creation of ScrubCrypt.
The malware was advertised for sale on the Clearnet website registered on March 27, 2023 before being shut down in late May, but was further promoted on Discord, TikTok, Twitter and YouTube. . Cracked versions of SeroXen have since appeared on crime forums.
“We strongly advise skepticism when you come across links, software packages, or other software related to gaining a competitive edge related to terms such as ‘cheat’, ‘hack’, ‘crack’, etc. We do,” said Trend Micro. New analytics for SeroXen.
“The addition of SeroXen and BatCloak to the malware arsenal of malicious actors highlights the evolution of FUD obfuscators with a low barrier to entry. The almost amateurish approach of using social media for aggressive promotion makes these attacks seem like novice developers by the standards of advanced threat actors.”
