Browsers and crypto wallets attacked by new information thief Bandit Stealer

Browsers and crypto wallets attacked by new information thief Bandit Stealer

Researchers have discovered a new and probably novel information-stealing malware, creatively named Bandit Stealer.

Threat hunters at Trend Micro recently discovered the malware, but a thorough analysis of the program revealed how it operates, how it maintains persistence, and the data it attempts to steal.

Malware can be distributed in several ways, either through fake Word documents and other executable files or by posing as an installer of a well-known spam email generation tool. The latter suggests that Bandit Stealer could well be targeting other cybercriminals.

Bandit Stealer focuses on stealth and is able to determine whether it is running in a test environment or on a virtual machine or other sandboxed system. If it detects such an environment, it may change its behavior in an attempt to avoid detection or analysis.

The malware downloads a blacklist that identifies a variety of IP addresses, MAC addresses, and hardware IDs commonly seen in test environments.

“One of the MAC addresses provided in the blacklist, ’00:0c:29′, corresponds to the OUI for VMware products such as virtual machines,” Trend Micro said in a blog post“which is commonly used for malware and sandbox analysis.”

Although currently only targeting Windows machines, Bandit Stealer also includes some commands to kill processes on Linux machines, suggesting that the malware is currently in a testing phase, before providing cross-platform functionality.

Once various scanning and detection related processes are detected and removed, Bandit Stealer is dedicated to maintaining persistence on the infected system. It does this by creating a registry entry, which ensures that even after a reboot, the executable is restarted.

With the malware now safely installed and running unhindered, Bandit Stealer begins collecting a large amount of basic data, including the machine’s IP address and country code, operating system and storage details, and even the resolution at which the monitor is currently running. It can also access Telegram accounts, allowing threat actors to impersonate the victim and give them access to private messages.

Bandit Stealer also collects data from a number of web browsers, including Google’s Chrome and Microsoft’s Edge, among many more. It can even steal saved credit card data and browser history.

Finally, also look for the presence of cryptocurrency wallets or related browser extensions. All collected data is then filtered into a compressed file and sent to a Telegram server.

At the moment, Bandit Stealer is being heavily marketed on the dark webwith “limited monthly licenses available” and promises of more updates and modules to come.

So far, however, Trend researchers have found no evidence that any particular group makes use of the information stealer.

“As of this writing, we have not identified any active threat groups associated with this particular malware due to its recent emergence and limited data on its operation,” Trend said. “We have not observed traces of what the group may have been doing with the information it stole, as the malware is in its early stages.”

“However, the malware actor can potentially exploit them for purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeover.”

Leave a Reply

Your email address will not be published. Required fields are marked *