Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials
Zscaler ThreatLabz recently tracked “Bandit Malware,” a brand unusual data stealer that seemed in April 2023 and snatched the following records from 17 browsers:-
- Cookies
- Logins
- Credit playing cards
Bandit Stealer swipes credentials for FTP and email customers which might presumably well well be authorized, and no longer entirely that even it furthermore goes after desktop crypto wallets as successfully.
The malware, coded in Depart (Golang), and the records that’s stolen is sent to a C2 server via Telegram. As a replace of this, the malware furthermore has the flexibility to evade digital environments and automatic prognosis tools stealthily.
Bandit Stealer Evades Prognosis
The Bandit stealer evades both automatic and manual prognosis by the employ of several anti-prognosis strategies. It leverages the procfs Golang library to aquire project data and scans for the following project that horror accept as true with talked about under:-
- Xen
- Vmware
- VirtualBox
- KVM
- Sandbox
- QEMU
- penitentiary
When a project matches these names, the Bandit data stealer routinely ends the execution, and the most as much as date Bandit samples take a look at debugger presence the employ of the Windows API via the following calls:-
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
Bandit obtains UUID and camouflage dimensions by the employ of the following WMIC commands:-
- wmic csproduct salvage uuid
- wmic desktopmonitor salvage screenheight, screenwidth
The gathered data aids threat actors in recognizing prognosis setups. While to position the digital environments, trick the protection vendors, and evade suspicion, the Bandit stealer makes employ of a huge list of following issues:-
- IP addresses
- MAC addresses
- Pc names
- Consumer names
- Project names
From the ‘api.ipify.org’ Bandit fetches the system’s exterior IP, after which from the Appendix, it fetches a listing of blacklisted IP addresses to compare them with the system’s exterior IP.
Bandit steals MAC contend with by capability of GetAdaptersAddresses Windows API, then tests it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization is more likely to be in the blacklist to evade sandboxes.
As a replace of this, Bandit Stealer furthermore obtains extra blacklists the employ of “cmd /c get grasp of session” to look at the username and pc identify of the victim.
By the employ of the CreateToolhelp32Snapshot Windows API, Bandit captures a project snapshot and scans it against a blacklist in the Appendix. If a blacklisted project is stumbled on running in reminiscence, Bandit terminates.
Browsers Focused
Here under we’ve got talked about all of the browsers which might presumably well well be focused by Bandit Stealer:-
- Yandex Browser
- Iridium Browser
- 7Star Browser
- Vivaldi Browser
- Google Chrome
- Orbitum
- Sputnik
- uCozMedia
- Microsoft Edge
- Torch Internet Browser
- Kometa Browser
- CentBrowser
- BraveSoftware
- Amigo Browser
- Narrative Privateness Browser
- SeaMonkey browser
- QupZilla
Cryptocurrency Wallets Focused
Here under we’ve got talked about all of the cryptocurrency wallets which might presumably well well be focused by Bandit Stealer:-
- Coinbase pockets extension
- Saturn Wallet extension
- Binance chain pockets extension
- Coin98 Wallet
- TronLink Wallet
- multibit Bitcoin
- Terra Space
- Electron Money
- Guildwallet extension
- Electrum-btcp
- MetaMask extension
- Bither Bitcoin pockets
- ronin pockets extension
- multidoge coin
- Kardiachain pockets extension
- LiteCoin
- Jaxx liberty Wallet
- Slump Wallet
- Math Wallet extension
- Ethereum
- Bitpay pockets extension
- Exodus
- Nifty Wallet extension
- Atomic
- Armory
- Bytecoin Wallet
- Coinomi pockets
- Monero pockets
- dogecoin
FTP client apps focused
Here under, we’ve got talked about all of the FTP client purposes that Bandit Stealer targets:-
- BlazeFTP
- NovaFTP
- Workers-FTP
- EasyFTP
- DeluxeFTP
- ALFTP
- GoFTP
- 32BitFtp
Email Possibilities Focused
Here under we’ve got talked about all of the electronic mail customers that the Bandit stealer targets:-
- MailSpring
- Mailbird
- Opera Mail
- Pocomail
Stolen records resides in recordsdata internal a sub-folder in the %appdata%local directory, and the sub-folder identify follows [country_code][ip_address] format.
While the file, USERINFO.txt carries Bandit Stealer header and system data.
Bandit leverages Windows 10 v1803’s default cURL utility for versatile records transfer by capability of several standards love:-
- HTTP
- FTP
- SMTP
Furthermore, from a hardcoded URL, it downloads the blacklist configuration records by abusing the “pastebin.com”.
Bandit dispatches this data via Telegram to the threat actor once the records assortment concludes.
Automated parsing and records extraction by the Bandit threat actor ends in a JSON-encoded response.
Source credit : cybersecuritynews.com