A new stealth information-stealing malware called bandit bandit has attracted the attention of cybersecurity researchers due to its ability to target numerous web browsers and cryptocurrency wallets.
โBecause Bandit Stealer is developed using the Go programming language, it can be extended to other platforms, potentially enabling cross-platform compatibility,โ said Trend Micro. Said in Friday’s report.
This malware is currently focused on targeting Windows using a legitimate command-line tool called “. runas.exe This allows users to run programs as another user with different privileges.
The goal is to run with elevated privileges and with administrative access, effectively bypassing security measures and collecting extensive data.
That said, Microsoft’s access control mitigation to prevent unauthorized execution of the tool means that it will attempt to execute malware binaries as it requires administrators to provide the necessary credentials.
“By using the runas.exe command, users can run programs as an administrator or other user account with appropriate privileges, provide a more secure environment for running critical applications, and reduce system level tasks,” Trend Micro said.
“This utility is especially useful if your current user account does not have sufficient privileges to run a particular command or program.”
Bandit Stealer has built-in checks to determine if it is running in a sandbox or virtual environment and terminates the list of blocklisted processes to hide its presence on infected systems .
It also establishes persistence by modifying the Windows Registry before initiating data collection activities such as collecting personal and financial data stored in web browsers and cryptocurrency wallets.
Bandit Stealer is said to be distributed through phishing emails that contain a dropper file that opens a seemingly harmless Microsoft Word attachment to create a distraction while causing an infection in the background.
Trend Micro said it also detected a fake installer for Heart Sender, a service that automates the process of sending spam emails and SMS messages to a large number of recipients, used to trick users into launching embedded malware.
The development came after a cybersecurity firm discovered a Rust-based information stealer targeting Windows. use The GitHub Codespaces webhook is controlled by the attacker as an exfiltration channel to obtain victim’s web browser credentials, credit cards, cryptocurrency wallets, Steam and Discord tokens.
This malware uses a relatively uncommon tactic to achieve sustainability It does this on your system by modifying your installed Discord client to insert JavaScript code designed to retrieve information from your application.
This discovery also some strains Kind of like a product theft malware LukeStrea Stealer, dark clouds, white snakeand Invicta Steelersome of which are observed propagate via spam or bad version of popular software.
Another notable trend is YouTube video To promote cracked software through compromised channels with millions of subscribers.
Data collected by stealers can benefit businesses in a number of ways and can be exploited for purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeover.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Stolen information can also be sold to other attackers, serving as the basis for subsequent attacks that can range from targeted campaigns to ransomware and extortion attacks.
These trends are just as the malware-as-a-service (MaaS) market is making stealer malware more readily available and lowering the barriers to entry for aspiring cybercriminals, making stealer malware more lethal. It highlights that it is continuously evolving into a serious threat.
In fact, data collected by the Secureworks Counter Threat Unit (CTU) clearly The volume of logs stolen in underground forums like the Russian market has recorded a 670% surge between June 2021 and May 2023, making it a “bustling market for information theft.”
“There are 5 million logs for sale on the Russian market, which is about 10 times more than its closest rival on the forum, 2easy,” the company said.
โRussian Market is well-established among Russian cybercriminals and is widely used by threat actors around the world. Russian Market recently added logs from three new thieves. It suggests that the site is actively adapting to the ever-changing electronic crime landscape.”
Despite its increasing sophistication, the MaaS ecosystem is in a state of flux, with law enforcement actions encouraging threat actors to sell their warware on Telegram.
โWhat we are seeing is an entire underground economy and support for infrastructure built around information stealers, allowing relatively unskilled attackers to engage as well as can also potentially be profitable,โ said Don Smith, Vice President of Secureworks CTU. Said.
โCoordinated global action by law enforcement has had some impact, but cybercriminals are adept at restructuring their routes to market.โ
