iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Researchers have uncovered a new and likely novel info-stealing malware, creatively called Bandit Stealer.
Threat hunters at Trend Micro have only recently discovered the malware, but a thorough analysis of the program has revealed how it operates, how it maintains persistence, and the data it attempts to steal.
The malware can be delivered in a number of ways, either via fake Word documents and other executable files or by pretending to be an installer for a well-known tool for generating spam emails. The latter suggests that Bandit Stealer may well be aimed at other cyber criminals.
Bandit Stealer has a focus on stealth and is able to determine if it is running in a test environment or on a virtual machine or other sandboxed system. If it detects such an environment, it can change its behaviour in an attempt to avoid detection or analysis.
The malware downloads a blacklist that identifies a range of IP addresses, MAC addresses, and hardware IDs commonly seen in test environments.
“One of the MAC addresses given from the blacklist, ‘00:0c:29’ corresponds to the OUI for VMware products such as virtual machines,” Trend Micro said in a blog post, “which is commonly used for sandbox and malware analysis”.
Despite currently only being aimed at Windows machines, Bandit Stealer also features some commands to kill processes on Linux machines, suggesting that the malware is currently in a test phase, ahead of providing cross-platform functionality.
Once various processes related to analysis and detection are detected and killed, Bandit Stealer sets about maintaining persistence on the infected system. It does this by creating a registry entry, ensuring that even after a restart, the executable itself restarts.
With the malware now securely installed and running free of obstruction, Bandit Stealer starts collecting a wealth of basic data, including the machine’s IP address and country code, operating system and storage details, and even what resolution the monitor is currently running. It can also access Telegram accounts, allowing threat actors to impersonate the victim and giving them access to private messages.
Bandit Stealer also harvests data from a raft of web browsers, including Google’s Chrome and Microsoft’s Edge, as well as many more. It can even steal saved credit card details and browser history.
Finally, it also scans for the presence of cryptocurrency wallets or related browser extensions. All the collected data is then exfiltrated in a compressed archive and sent to a Telegram server.
At the moment, Bandit Stealer is being heavily marketed on the dark web, with “limited monthly licences available” and promises of more updates and modules to come.
So far, however, Trend’s researchers have found no evidence of any particular groups making use of the info stealer.
“As of this writing, we have not identified any active threat groups associated with this particular malware because of its recent emergence and limited data on its operation,” Trend said. “We have not observed traces of what the group might have been doing with the information it has stolen as the malware is in its early stages.”
“However, the malware actor can potentially exploit them for purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeovers.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
