Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

by Esmeralda McKenzie
Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

Bandit Malware Assaults 17 Browsers

Zscaler ThreatLabz recently tracked “Bandit Malware,” a brand unusual data stealer that seemed in April 2023 and snatched the following records from 17 browsers:-

  • Cookies
  • Logins
  • Credit playing cards

Bandit Stealer swipes credentials for FTP and email customers which might presumably well well be authorized, and no longer entirely that even it furthermore goes after desktop crypto wallets as successfully.

The malware, coded in Depart (Golang), and the records that’s stolen is sent to a C2 server via Telegram. As a replace of this, the malware furthermore has the flexibility to evade digital environments and automatic prognosis tools stealthily.

Bandit Stealer Evades Prognosis

The Bandit stealer evades both automatic and manual prognosis by the employ of several anti-prognosis strategies. It leverages the procfs Golang library to aquire project data and scans for the following project that horror accept as true with talked about under:-

  • Xen
  • Vmware
  • VirtualBox
  • KVM
  • Sandbox
  • QEMU
  • penitentiary

When a project matches these names, the Bandit data stealer routinely ends the execution, and the most as much as date Bandit samples take a look at debugger presence the employ of the Windows API via the following calls:-

  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent

Bandit obtains UUID and camouflage dimensions by the employ of the following WMIC commands:-

  • wmic csproduct salvage uuid
  • wmic desktopmonitor salvage screenheight, screenwidth

The gathered data aids threat actors in recognizing prognosis setups. While to position the digital environments, trick the protection vendors, and evade suspicion, the Bandit stealer makes employ of a huge list of following issues:-

  • IP addresses
  • MAC addresses
  • Pc names
  • Consumer names
  • Project names

From the ‘api.ipify.org’ Bandit fetches the system’s exterior IP, after which from the Appendix, it fetches a listing of blacklisted IP addresses to compare them with the system’s exterior IP.

Bandit steals MAC contend with by capability of GetAdaptersAddresses Windows API, then tests it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization is more likely to be in the blacklist to evade sandboxes.

As a replace of this, Bandit Stealer furthermore obtains extra blacklists the employ of “cmd /c get grasp of session” to look at the username and pc identify of the victim.

By the employ of the CreateToolhelp32Snapshot Windows API, Bandit captures a project snapshot and scans it against a blacklist in the Appendix. If a blacklisted project is stumbled on running in reminiscence, Bandit terminates.

Browsers Focused

Here under we’ve got talked about all of the browsers which might presumably well well be focused by Bandit Stealer:-

  • Yandex Browser
  • Iridium Browser
  • 7Star Browser
  • Vivaldi Browser
  • Google Chrome
  • Orbitum
  • Sputnik
  • uCozMedia
  • Microsoft Edge
  • Torch Internet Browser
  • Kometa Browser
  • CentBrowser
  • BraveSoftware
  • Amigo Browser
  • Narrative Privateness Browser
  • SeaMonkey browser
  • QupZilla

Cryptocurrency Wallets Focused

Here under we’ve got talked about all of the cryptocurrency wallets which might presumably well well be focused by Bandit Stealer:-

  • Coinbase pockets extension
  • Saturn Wallet extension
  • Binance chain pockets extension
  • Coin98 Wallet
  • TronLink Wallet
  • multibit Bitcoin
  • Terra Space
  • Electron Money
  • Guildwallet extension
  • Electrum-btcp
  • MetaMask extension
  • Bither Bitcoin pockets
  • ronin pockets extension
  • multidoge coin
  • Kardiachain pockets extension
  • LiteCoin
  • Jaxx liberty Wallet
  • Slump Wallet
  • Math Wallet extension
  • Ethereum
  • Bitpay pockets extension
  • Exodus
  • Nifty Wallet extension
  • Atomic
  • Armory
  • Bytecoin Wallet
  • Coinomi pockets
  • Monero pockets
  • dogecoin

FTP client apps focused

Here under, we’ve got talked about all of the FTP client purposes that Bandit Stealer targets:-

  • BlazeFTP
  • NovaFTP
  • Workers-FTP
  • EasyFTP
  • DeluxeFTP
  • ALFTP
  • GoFTP
  • 32BitFtp

Email Possibilities Focused

Here under we’ve got talked about all of the electronic mail customers that the Bandit stealer targets:-

  • MailSpring
  • Mailbird
  • Opera Mail
  • Pocomail

Stolen records resides in recordsdata internal a sub-folder in the %appdata%local directory, and the sub-folder identify follows [country_code][ip_address] format.

eAXK1XSEpRGy nuuukNMeNSBTqbdnpnO2giEqXajChNqWJefEjOASP2e8KQ Zxk7hatmPTD7YK45xTr6o15CEIjHxxaYzEGlYGfauhASQx3Mk0GO7 R3fHnvyGtDre 53Ah JMpizdJ3r9p1NJQENc
Recordsdata tranquil by Bandit Stealer (Source – Zscaler)

While the file, USERINFO.txt carries Bandit Stealer header and system data.

USERINFO contents (Source – Zscaler)

Bandit leverages Windows 10 v1803’s default cURL utility for versatile records transfer by capability of several standards love:-

  • HTTP
  • FTP
  • SMTP

Furthermore, from a hardcoded URL, it downloads the blacklist configuration records by abusing the “pastebin.com”.

qA 6XQlGaVhRSzUIauOi71Ht8ldp7yJq7XmnbN4ecki0uP9uqX2ZMFna4h14OE7Vt06TLL 6zV bVxsMpyMM49znS9nA e9GQFcr0W9KwGo7JR4r1REwSSRMVonqLzrZfthFZ ZyCETQOi0sLKQaydw
Downloaded Bandit Stealer blacklist configuration (Source – Zscaler)

Bandit dispatches this data via Telegram to the threat actor once the records assortment concludes.

Automated parsing and records extraction by the Bandit threat actor ends in a JSON-encoded response.

Source credit : cybersecuritynews.com

Related Posts