Tuesday, October 15, 2024
HomeCyber Security NewsNew Bandit Malware Attacks Browsers to Steal Personal & Financial Logins

New Bandit Malware Attacks Browsers to Steal Personal & Financial Logins

Published on

Malware protection

Bandit Stealer, a recently discovered information stealer by Trend Micro, effectively targets cryptocurrency wallets and web browsers while skillfully avoiding detection.

The malware prioritizes Windows as its target and leverages the legitimate command-line tool runas[.]exe to execute programs under different user permissions.

The objective is to elevate privileges, gain administrative access, and bypass security measures to collect extensive user data efficiently.

- Advertisement - SIEM as a Service

Evasion of Antivirus

Due to its use of the Go programming language, the malware exhibits cross-platform compatibility, enabling it to expand its impact to various platforms.

Bandit Stealer employs sandbox detection mechanisms to adapt its behavior and evade detection or analysis based on specific indicators it checks for:-

  • container
  • jail
  • KVM
  • QEMU
  • sandbox
  • Virtual Machine
  • VirtualBox
  • VMware
  • Xen

Including a Linux-specific command in the malware suggests that it may be designed to infect Linux machines and is likely undergoing testing, as accessing the “/proc/self/status” file path on a Windows system would lead to an error.

The malware retrieves and saves the content from a Pastebin link (hxxps[:]//pastebin[.]com/raw/3fS0MSjN) in the AppData folder, as a file called “blacklist.txt.”

Here below, we have mentioned all the details that this list contains:-

  • Hardware IDs
  • IP addresses
  • MAC addresses
  • Usernames
  • Hostnames
  • Process names

While all these details primarily serve the purpose of identifying whether the malware is operating within a sandbox or undergoing testing.

Distribution of the Malware

The malware spreads via phishing emails, disguising itself as a harmless MS Word attachment that distracts the user while initiating the infection process in the background.

Microsoft’s access control mechanism runs malware as an administrator with credentials, useful when the user lacks sufficient privileges for program execution.

The malware modifies the Windows Registry, persists, and collects personal and financial data from crypto wallets and web browsers.

Bandit Stealer steals Telegram sessions

Bandit Stealer steals Telegram sessions for unauthorized access, enabling impersonation and malicious actions like accessing private messages and data.

Browsers & Wallets Scanned

Here below, we have mentioned the browsers:-

  • 7Star
  • YandexBrowser
  • Brave-Browser
  • Amigo
  • Torch
  • Google Chrome Canary
  • Google Chrome
  • Cent Browser
  • Sputnik
  • Iridium
  • Orbitum
  • UCozMedia
  • Epic Privacy Browser
  • Microsoft Edge
  • Kometa

Here below, we have mentioned all the wallets that are scanned:-

  • Clover Wallet
  • Jaxx Liberty
  • Wombat
  • TronLink
  • Trust Wallet
  • Crypto.com
  • BitKeep: Crypto & NFT Wallet

Here below, we have mentioned the types of data that are stolen from the victim’s browser:-

  • Login data
  • Cookies
  • Web history
  • Credit card details

Researchers found a fake Heart Sender installer that tricks users into launching embedded malware, automating spam SMS and email sending.

Stolen information from Bandit Stealer and similar stealers enables attackers to engage in identity theft, data breaches, financial gain, account hijacking, credential-stuffing, selling to other cybercriminals, and conducting follow-on attacks like double extortion and ransomware.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...