New Editbot Stealer in Action; Stealing Browser Passwords & Cookies

by Esmeralda McKenzie
New Editbot Stealer in Action; Stealing Browser Passwords & Cookies

New Editbot Stealer in Action; Stealing Browser Passwords & Cookies

Fresh Editbot Stealer in Movement; Stealing Browser Passwords & Cookies

A brand recent malicious advertising and marketing and marketing and marketing campaign, Editbot Stealer, used to be discovered wherein threat actors utilize WinRAR archive info with minimal detection to originate a multi-stage assault. Risk actors had been the utilization of the theme of “atrocious product to be sent back” to entice users to their false web sites.

On the opposite hand, the malicious WinRAR archive pale by the threat actors contains a .bat file and a JSON file for initial stage assaults, adopted by some Powershell commands for additional stages. The distribution of these malicious info used to be accomplished via social media.

EHA

Editbot Stealer in Movement

Initial Gain entry to & Persistence

In line with the studies shared with Cyber Safety News, the BAT file pale in the initial stages of the assault goes by the title “Screenshot Product Photo Sample.bat” containing a few Powershell commands for downloading and executing additional payloads.

RAR file containing the BAT and JSON info (Offer: Cyble)
RAR file containing the BAT and JSON info (Offer: Cyble)

The main PowerShell declare within the BAT file downloads any other BAT file from Gitlab and saves it below the title “WindowsSecure.bat” in the startup folder for chronic execution. This BAT file is pale to customarily attain the Python stealer, which is downloaded later in the assault stage.

The second PowerShell declare retrieves a ZIP file named “File.zip” from the the same GitLab repository and saves it in the C:CustomersPublic list. The third powershell declare extracts this ZIP file into the C:CustomersPublicPaperwork list containing the python stealer “libb1.py”.

Working of the Python Stealer – Editbot

The Python stealer contains sophisticated programming code that performs lots of functions, including extracting the country code, IP address, and timestamp of the victims, alongside with the credential-stealing actions linked to lots of browsers.

This stealer extracts a few gadgets of data, equivalent to cookies, login data, web data, and local divulge, from the browser profile folder and retail outlets them within the %temp% folder. The whole stolen info is saved in a textual scream file named “budge.txt”.

After amassing the general info from the sufferer, the stealer creates a ZIP archive of the general extracted info and retail outlets them within the the same %temp% list. To exfiltrate this info, the threat actors relish living up telegram bots.

Furthermore, a whole document referring to the Editbot stealer has been printed, which presents detailed info on the source code, extraction blueprint, and other info.

Indicators of Compromise

Indicators Indicator Form Main aspects
fd8391a1a0115880e8c3ee2e76fbce741f1b3c5fbcb728b9fac37c21e9f6d7b7 feff390b99dfe7619a20748582279bc13c04f52aca5bee4607ddd920729e5c2b4fc89bbc SHA256 SHA1MD5 Screenshot-Product-Photo-Sample_25929.rar
d13aba752f86757de6628e833f4fdf4c625f480056e93b919172e9c309448b80 18e96d94089086848a0569a1e1d8051da0f6f444e9e4cd111cadcf94c469365354df3fdc SHA256 SHA1MD5 Screenshot Product Photo Sample.bat
3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d eed59a282588778ffbc772085b03d229a5d99e35669e7ac187fb57c4d90b07d9a6bb1d42 SHA256 SHA1MD5 Python stealer (libb1.py)
9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0 93d70f02b2ee2c4c2cd8262011ed21317c7d92def23465088d26e90514b5661936016c05 SHA256 SHA1MD5 product-_img_2023-12_86-13a30f_13373.rar
bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa cf019e96e16fdaa504b29075aded36be27691956c3a447c5c6c73d80490347c1b4afe9d5 SHA256 SHA1MD5 record – photo_product _2023-12_86-13a30ff503fd6638c5863dta.bat

Source credit : cybersecuritynews.com

Related Posts