Sunday, March 3, 2024
News

Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

Zscaler ThreatLabz recently tracked “Bandit Malware,” a new info stealer that appeared in April 2023 and snatched the following data from 17 browsers:-

Cookies

Logins

Credit cards

Bandit Stealer swipes credentials for FTP and email clients that are popular, and not only that even it also goes after desktop crypto wallets as well.

The malware, coded in Go (Golang), and the data that is stolen is sent to a C2 server through Telegram. Apart from this, the malware also has the ability to evade virtual environments and automated analysis tools stealthily.

Bandit Stealer Evades Analysis

The Bandit stealer evades both automated and manual analysis by employing several anti-analysis techniques. It leverages the procfs Golang library to gather process info and scans for the following process that awe have mentioned below:-

Xen

Vmware

VirtualBox

KVM

Sandbox

QEMU

jail

When a process matches these names, the Bandit info stealer automatically ends the execution, and the latest Bandit samples verify debugger presence using the Windows API through the following calls:-

IsDebuggerPresent

CheckRemoteDebuggerPresent

Bandit obtains UUID and screen dimensions by using the following WMIC commands:-

wmic csproduct get uuid

wmic desktopmonitor get screenheight, screenwidth

The gathered info aids threat actors in recognizing analysis setups. While to spot the virtual environments, trick the security vendors, and evade suspicion, the Bandit stealer makes use of a wide list of following things:-

IP addresses

MAC addresses

Computer names

User names

Process names

From the ‘api.ipify.org’ Bandit fetches the system’s external IP, and then from the Appendix, it fetches a list of blacklisted IP addresses to compare them with the system’s external IP.

Bandit steals MAC address via GetAdaptersAddresses Windows API, then checks it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization may be in the blacklist to evade sandboxes.

Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the username and computer name of the victim.

By employing the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the Appendix. If a blacklisted process is found running in memory, Bandit terminates.

Browsers Targeted

Here below we have mentioned all the browsers that are targeted by Bandit Stealer:-

Yandex Browser

Iridium Browser

7Star Browser

Vivaldi Browser

Google Chrome

Orbitum

Sputnik

uCozMedia

Microsoft Edge

Torch Web Browser

Kometa Browser

CentBrowser

BraveSoftware

Amigo Browser

Epic Privacy Browser

SeaMonkey browser

QupZilla

Cryptocurrency Wallets Targeted

Here below we have mentioned all the cryptocurrency wallets that are targeted by Bandit Stealer:-

Coinbase wallet extension

Saturn Wallet extension

Binance chain wallet extension

Coin98 Wallet

TronLink Wallet

multibit Bitcoin

Terra Station

Electron Cash

Guildwallet extension

Electrum-btcp

MetaMask extension

Bither Bitcoin wallet

ronin wallet extension

multidoge coin

Kardiachain wallet extension

LiteCoin

Jaxx liberty Wallet

Dash Wallet

Math Wallet extension

Ethereum

Bitpay wallet extension

Exodus

Nifty Wallet extension

Atomic

Armory

Bytecoin Wallet

Coinomi wallet

Monero wallet

dogecoin

FTP client apps targeted

Here below, we have mentioned all the FTP client applications that Bandit Stealer targets:-

BlazeFTP

NovaFTP

Staff-FTP

EasyFTP

DeluxeFTP

ALFTP

GoFTP

32BitFtp

Email Clients Targeted

Here below we have mentioned all the email clients that the Bandit stealer targets:-

MailSpring

Mailbird

Opera Mail

Pocomail

Stolen data resides in files within a sub-folder in the %appdata%local directory, and the sub-folder name follows [country_code][ip_address] format.

Information collected by Bandit Stealer (Source – Zscaler)

While the file, USERINFO.txt carries Bandit Stealer header and system info.

USERINFO contents (Source – Zscaler)

Bandit leverages Windows 10 v1803’s default cURL utility for versatile data transfer via several standards like:-

HTTP

FTP

SMTP

Moreover, from a hardcoded URL, it downloads the blacklist configuration information by abusing the “pastebin.com”.

Downloaded Bandit Stealer blacklist configuration (Source – Zscaler)

Bandit dispatches this information through Telegram to the threat actor once the data collection concludes.

Automated parsing and data extraction by the Bandit threat actor results in a JSON-encoded response.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials appeared first on Cyber Security News.

   Read More 

Cyber Security News