Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

Zscaler ThreatLabz recently tracked “Bandit Malware,” a new info stealer that appeared in April 2023 and snatched the following data from 17 browsers:-

Cookies

Read moreBuilding cyber skills and roles from CyBOK foundations

Logins

Credit cards

Read moreAccessibility as a cyber security priority

Bandit Stealer swipes credentials for FTP and email clients that are popular, and not only that even it also goes after desktop crypto wallets as well.

The malware, coded in Go (Golang), and the data that is stolen is sent to a C2 server through Telegram. Apart from this, the malware also has the ability to evade virtual environments and automated analysis tools stealthily.

Bandit Stealer Evades Analysis

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

The Bandit stealer evades both automated and manual analysis by employing several anti-analysis techniques. It leverages the procfs Golang library to gather process info and scans for the following process that awe have mentioned below:-

Xen

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

Vmware

VirtualBox

Read moreS3 Ep135: Sysadmin by day, extortionist by night

KVM

Sandbox

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

QEMU

jail

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

When a process matches these names, the Bandit info stealer automatically ends the execution, and the latest Bandit samples verify debugger presence using the Windows API through the following calls:-

IsDebuggerPresent

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

CheckRemoteDebuggerPresent

Bandit obtains UUID and screen dimensions by using the following WMIC commands:-

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

wmic csproduct get uuid

wmic desktopmonitor get screenheight, screenwidth

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

The gathered info aids threat actors in recognizing analysis setups. While to spot the virtual environments, trick the security vendors, and evade suspicion, the Bandit stealer makes use of a wide list of following things:-

IP addresses

Read more6 Ways to Mitigate Risk While Expanding Access

MAC addresses

Computer names

Read moreHypervisors and Ransomware: Defending Attractive Targets

User names

Process names

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

From the ‘api.ipify.org’ Bandit fetches the system’s external IP, and then from the Appendix, it fetches a list of blacklisted IP addresses to compare them with the system’s external IP.

Bandit steals MAC address via GetAdaptersAddresses Windows API, then checks it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization may be in the blacklist to evade sandboxes.

Read moreEducating Your Board of Directors on Cybersecurity

Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the username and computer name of the victim.

By employing the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the Appendix. If a blacklisted process is found running in memory, Bandit terminates.

Browsers Targeted

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

Here below we have mentioned all the browsers that are targeted by Bandit Stealer:-

Yandex Browser

Read moreMany Vulnerabilities Found in PrinterLogic Enterprise Software

Iridium Browser

7Star Browser

Read moreIndustrial Giant ABB Confirms Ransomware Attack, Data Theft

Vivaldi Browser

Google Chrome

Read moreOrganizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

Orbitum

Sputnik

Read moreGoogle Cloud Users Can Now Automate TLS Certificate Lifecycle

uCozMedia

Microsoft Edge

Read moreZyxel Firewalls Hacked by Mirai Botnet

Torch Web Browser

Kometa Browser

Read moreWatch Now: Threat Detection and Incident Response Virtual Summit

CentBrowser

BraveSoftware

Read moreNCC Group Releases Open Source Tools for Developers, Pentesters

Amigo Browser

Epic Privacy Browser

Read moreMemcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation

SeaMonkey browser

QupZilla

Cryptocurrency Wallets Targeted

Read morePyPI Enforcing 2FA for All Project Maintainers to Boost Security

Here below we have mentioned all the cryptocurrency wallets that are targeted by Bandit Stealer:-

Coinbase wallet extension

Read moreCredible Handwriting Machine

Saturn Wallet extension

Binance chain wallet extension

Read moreGoogle Is Not Deleting Old YouTube Videos

Coin98 Wallet

TronLink Wallet

Read moreFriday Squid Blogging: Peruvian Squid-Fishing Regulation Drives Chinese Fleets Away

multibit Bitcoin

Terra Station

Read moreSecurity Risks of New .zip and .mov Domains

Electron Cash

Guildwallet extension

Read moreMicrosoft Secure Boot Bug

Electrum-btcp

MetaMask extension

Read moreBarracuda zero-day abused since 2022 to drop new malware, steal data

Bither Bitcoin wallet

ronin wallet extension

Read moreWordPress plugin ‘Gravity Forms’ vulnerable to PHP object injection

multidoge coin

Kardiachain wallet extension

Read moreMicrosoft finds macOS bug that lets hackers bypass SIP root restrictions

LiteCoin

Jaxx liberty Wallet

Read moreRomCom malware spread via Google Ads for ChatGPT, GIMP, more

Dash Wallet

Math Wallet extension

Read moreMany Public Salesforce Sites are Leaking Private Data

Ethereum

Bitpay wallet extension

Read moreWordPress force installs critical Jetpack patch on 5 million sites

Exodus

Nifty Wallet extension

Read moreMicrosoft shares fix for cameras not working on Surface laptops

Atomic

Armory

Read moreAndroid apps with spyware installed 421 million times from Google Play

Bytecoin Wallet

Coinomi wallet

Read moreNew hacking forum leaks data of 478,000 RaidForums members

Monero wallet

dogecoin

FTP client apps targeted

Read moreFlash loan attack on Jimbos Protocol steals over $7.5 million

Here below, we have mentioned all the FTP client applications that Bandit Stealer targets:-

BlazeFTP

Read moreMCNA Dental data breach impacts 8.9 million people after ransomware attack

NovaFTP

Staff-FTP

Read moreHuman Error Fuels Industrial APT Attacks, Kaspersky Reports

EasyFTP

DeluxeFTP

Read moreDogeRAT Malware Impersonates BFSI, Entertainment, E-commerce Apps

ALFTP

GoFTP

Read moreRansomware Gangs Adopting Business-like Practices to Boost Profits

32BitFtp

Email Clients Targeted

Here below we have mentioned all the email clients that the Bandit stealer targets:-

Read moreNew Russian-Linked Malware Poses “Immediate Threat” to Energy Grids

MailSpring

Mailbird

Read moreRomania’s Safetech Leans into UK Cybersecurity Market

Opera Mail

Pocomail

Read moreAdvanced Phishing Attacks Surge 356% in 2022

Stolen data resides in files within a sub-folder in the %appdata%local directory, and the sub-folder name follows [country_code][ip_address] format.

Information collected by Bandit Stealer (Source – Zscaler)

While the file, USERINFO.txt carries Bandit Stealer header and system info.

USERINFO contents (Source – Zscaler)
Read moreExpo Framework API Flaw Reveals User Data in Online Services

Bandit leverages Windows 10 v1803’s default cURL utility for versatile data transfer via several standards like:-

HTTP

Read moreDark Web Data Leak Exposes RaidForums Members

FTP

SMTP

Read moreRetailer Database Error Leaks Over One Million Customer Records

Moreover, from a hardcoded URL, it downloads the blacklist configuration information by abusing the “pastebin.com”.

Downloaded Bandit Stealer blacklist configuration (Source – Zscaler)

Bandit dispatches this information through Telegram to the threat actor once the data collection concludes.

Read moreNine Million MCNA Dental Customers Hit by Breach

Automated parsing and data extraction by the Bandit threat actor results in a JSON-encoded response.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Read moreNew Mirai Variant Campaigns are Targeting IoT Devices

The post Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials appeared first on Cyber Security News.

   Read More 

Read moreLazarus hackers target Windows IIS web servers for initial access

Cyber Security News 

Related Posts

43% of couples experience pressure to share logins and locations, Malwarebytes finds

43% of couples experience pressure to share logins and locations, Malwarebytes finds

All isn’t fair in love and romance today, as 43% of people in a committed relationship said they have felt pressured by their own partners to share logins, passcodes, and/or locations. A worrying 7% admitted that this type of pressure has included the threat of breaking up or the threat of physical or emotional harm.

These are latest findings from original research conducted by Malwarebytes to explore how romantic couples navigate shared digital access to one another’s devices, accounts, and location information.

In short, digital sharing is the norm in modern relationships, but it doesn’t come without its fears.

While everybody shares some type of device, account, or location access with their significant other (100% of respondents), and plenty grant their significant other access to at least one personal account (85%), a sizeable portion longs for something different—31% said they worry about “how easy it is for my partner to track what I’m doing and where I am all times because of how much we share,” and 40% worry that “telling my partner I don’t want to share logins, PINs, and/or locations would upset them.”

By surveying 500 people in committed relationships in the United States, Malwarebytes has captured a unique portrait of what it means to date, marry, and be in love in 2024—a part of life that is now inseparable from smart devices, apps, and the internet at large.

The complete findings can be found in the latest report, “What’s mine is yours: How couples share an all-access pass to their digital lives.” You can read the full report below.

READ THE REPORT

Here are some of the key findings:

Partners share their personal login information for an average of 12 different types of accounts.

48% of partners share the login information of their personal email accounts.

30% of partners regret sharing location tracking.

18% of partners regret sharing account access. The number is significantly higher for men (30%).

29% of partners said an ex-partner used their accounts to track their location, impersonate them, access their financial accounts, and other harms.

Around one in three Gen Z and Millennial partners report an ex has used their accounts to stalk them.

But the data doesn’t only point to causes for concern. It also highlights an opportunity for learning. As Malwarebytes reveals in this latest research, people are looking for guidance, with seven in 10 people admitting they want help navigating digital co-habitation.

According to one Gen Z survey respondent:

“I feel like it might take some effort (to digitally disentangle) because we are more seriously involved. We have many other kinds of digital ties that we would have to undo in order to break free from one another.”

That is why, today, Malwarebytes is also launching its online resource hub: Modern Love in the Digital Age. At this new guidance portal, readers can learn about whether they should share their locations with their partners, why car location tracking presents a new problem for some couples, and how they can protect themselves from online harassment. Access the hub below.

MODERN LOVE

 Read More 

 

Ukraine at D+674: Reactions to Russia’s missile attacks.
Ukraine at D+674: Reactions to Russia’s missile attacks.

Ukraine at D+674: Reactions to Russia’s missile attacks.

Ukraine and its supporters react to Russia’s missile strikes, which Russia’s Ministry of Defense described as successful, and carefully targeted. The G7 may consider confiscation of $300 billion in frozen Russian assets.   Read More 

The CyberWire