A new stealth information-stealing malware called bandit bandit has attracted the attention of cybersecurity researchers due to its ability to target numerous web browsers and cryptocurrency wallets.
“Because Bandit Stealer is developed using the Go programming language, it may be extended to other platforms, potentially enabling cross-platform compatibility,” Trend Micro said in a report on Friday. .
This malware currently focuses on targeting Windows using a legitimate command line tool called runas.exe that allows users to run programs as another user with different privileges.
The goal is to run with elevated privileges and with administrative access, effectively bypassing security measures and collecting extensive data.
That said, Microsoft’s access control mitigation to prevent unauthorized execution of the tool means that it will attempt to execute malware binaries as it requires administrators to provide the necessary credentials.
“By using the runas.exe command, users can run programs as an administrator or other user account with appropriate privileges, provide a more secure environment for running critical applications, and reduce system level tasks,” Trend Micro said.
“This utility is especially useful if your current user account does not have sufficient privileges to run a particular command or program.”
Bandit Stealer has built-in checks to determine if it is running in a sandbox or virtual environment and terminates the list of blocklisted processes to hide its presence on infected systems .
It also establishes persistence by modifying the Windows Registry before initiating data collection activities such as collecting personal and financial data stored in web browsers and cryptocurrency wallets.
Bandit Stealer is said to be distributed through phishing emails that contain a dropper file that opens a seemingly harmless Microsoft Word attachment to create a distraction while causing an infection in the background.
Trend Micro said it also detected a fake installer for Heart Sender, a service that automates the process of sending spam emails and SMS messages to a large number of recipients, used to trick users into launching embedded malware.
The development came after a cybersecurity firm discovered a Rust-based information stealer targeting Windows. The actor uses her attacker-controlled GitHub Codespaces webhook as an exfiltration channel to obtain the victim’s web browser credentials, credit cards, cryptocurrency wallets, Steam and Discord tokens. .
In a relatively uncommon tactic, the malware achieves persistence on the system by modifying the installed Discord client to inject JavaScript code designed to retrieve information from the application. .
The findings follow the emergence of several strains of merchandise theft malware such as Luca, StrelaStealer, DarkCloud, WhiteSnake, and Invicta Stealer, some of which are propagated via spam emails and malicious versions of popular software. is observed.
Another notable trend is the use of YouTube videos to promote cracked software through compromised channels with millions of subscribers.
Data collected by stealers can benefit businesses in a number of ways and can be exploited for purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeover.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Stolen information can also be sold to other attackers, serving as the basis for subsequent attacks that can range from targeted campaigns to ransomware and extortion attacks.
These trends are just as the malware-as-a-service (MaaS) market is making stealer malware more readily available and lowering the barriers to entry for aspiring cybercriminals, making stealer malware more lethal. It highlights that it is continuously evolving into a serious threat.
In fact, data collected by the Secureworks Counter Threat Unit (CTU) reveals a “booming market for information theft,” with the volume of logs stolen from underground forums such as the Russian market increasing from June 2021 to May 2023. It recorded a 670% surge during the month.
“There are 5 million logs for sale on the Russian market, which is about 10 times more than its closest rival on the forum, 2easy,” the company said.
“Russian Market is well-established among Russian cybercriminals and is widely used by threat actors around the world. Russian Market recently added logs from three new thieves. It suggests that the site is actively adapting to the ever-changing electronic crime landscape.”
Despite its increasing sophistication, the MaaS ecosystem is in a state of flux, with law enforcement actions encouraging threat actors to sell their warware on Telegram.
“What we are seeing is an entire underground economy and aiding infrastructure built around information stealers, allowing relatively unskilled attackers to engage as well as can potentially be profitable,” said Don Smith, vice president of Secureworks CTU.
“Coordinated global action by law enforcement has had some impact, but cybercriminals are adept at restructuring their routes to market.”
