Zscaler ThreatLabz recently tracked “Bandit Malware,” a new info stealer that appeared in April 2023 and snatched the following data from 17 browsers:-
Bandit Stealer swipes credentials for FTP and email clients that are popular, and not only that even it also goes after desktop crypto wallets as well.
The malware, coded in Go (Golang), and the data that is stolen is sent to a C2 server through Telegram. Apart from this, the malware also has the ability to evade virtual environments and automated analysis tools stealthily.
Bandit Stealer Evades Analysis
The Bandit stealer evades both automated and manual analysis by employing several anti-analysis techniques. It leverages the procfs Golang library to gather process info and scans for the following process that awe have mentioned below:-
When a process matches these names, the Bandit info stealer automatically ends the execution, and the latest Bandit samples verify debugger presence using the Windows API through the following calls:-
Bandit obtains UUID and screen dimensions by using the following WMIC commands:-
wmic csproduct get uuid
wmic desktopmonitor get screenheight, screenwidth
The gathered info aids threat actors in recognizing analysis setups. While to spot the virtual environments, trick the security vendors, and evade suspicion, the Bandit stealer makes use of a wide list of following things:-
From the ‘api.ipify.org’ Bandit fetches the system’s external IP, and then from the Appendix, it fetches a list of blacklisted IP addresses to compare them with the system’s external IP.
Bandit steals MAC address via GetAdaptersAddresses Windows API, then checks it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization may be in the blacklist to evade sandboxes.
Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the username and computer name of the victim.
By employing the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the Appendix. If a blacklisted process is found running in memory, Bandit terminates.
Here below we have mentioned all the browsers that are targeted by Bandit Stealer:-
Torch Web Browser
Epic Privacy Browser
Cryptocurrency Wallets Targeted
Here below we have mentioned all the cryptocurrency wallets that are targeted by Bandit Stealer:-
Coinbase wallet extension
Saturn Wallet extension
Binance chain wallet extension
Bither Bitcoin wallet
ronin wallet extension
Kardiachain wallet extension
Jaxx liberty Wallet
Math Wallet extension
Bitpay wallet extension
Nifty Wallet extension
FTP client apps targeted
Here below, we have mentioned all the FTP client applications that Bandit Stealer targets:-
Email Clients Targeted
Here below we have mentioned all the email clients that the Bandit stealer targets:-
Stolen data resides in files within a sub-folder in the %appdata%local directory, and the sub-folder name follows [country_code][ip_address] format.
While the file, USERINFO.txt carries Bandit Stealer header and system info.
Bandit leverages Windows 10 v1803’s default cURL utility for versatile data transfer via several standards like:-
Moreover, from a hardcoded URL, it downloads the blacklist configuration information by abusing the “pastebin.com”.
Bandit dispatches this information through Telegram to the threat actor once the data collection concludes.
Automated parsing and data extraction by the Bandit threat actor results in a JSON-encoded response.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
The post Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials appeared first on Cyber Security News.
Cyber Security News