Thursday, July 18, 2024
EHA

BlackGuard – New Password Stealing Malware Sold In Russian Hacking Forum

Malware-as-a-service is becoming one of the greatest contributors to cyberattacks since it makes entry for cybercriminals extremely easier. This is because most of the hacking forums are selling malware, trojans, and viruses which are being leveraged by many hackers. 

In recent reports by Zscaler researchers, a new type of sophisticated credential stealer malware was found which was named “BlackGuard”. This malware is sold at a price of $700 lifetime and $200 a month.

This malware is capable of stealing information related to Crypto Wallets, Saved browser credentials, email clients, VPN messengers, and FTP credentials.  This malware also has the ability to evade detection as well as anti-debugging.
Image

Analysis

BlackGuard is still in the development stage. It is written in .NET packed with crypto packer.

Evasion

When this malware is executed, it is coded to kill processes related to antivirus and sandbox.
Image

Source: zscaler

String Obfuscation

This malware has dual decoding. It is encoded in an array of bytes which is first decoded into ASCII strings during runtime. These ASCII strings are then decoded into base64. This helps to evade antivirus and string-based detection.Image

Anti-CIS

BlackGuard gathers information about the location of the infected device by making a request to “http://ipwhois.app/xml/“. If BlackGuard detects the location of a Commonwealth of Independent States (CIS), it exits the device.

Image

Anti-Debug

BlackGuard can stop any disruption from users when debugging. This is achieved by the use of user32!BlockInput(). It blocks all mouse and keyboard inputs.
Image

Stealer Function

After all the pre-checks are executed, BlackGuard executes the stealer function which collects various information about browsers, software, and other directories.
Image

Browsers

BlackGuard steals credentials from Chrome and other Gecko-based browsers. It steals history, autofill information, passwords, and downloads.

Image

Cryptocurrency Wallets

The malware also supports the stealing of wallet information and other sensitive information. It specifically targets sensitive data files such as wallet.dat which will contain the private key access to the wallet and other data. Usually, these files are stored in the AppData folder which is targeted by the malware.

Image

Crypto Extensions

Most of browsers have extensions for crypto wallets for easy access to users. The malware also targets browsers such as Chrome and Edge for these extensions to steal sensitive information.

Image

Command and Control (C2) Exfiltration

Once it collects all this information from the targeted machine, it converts the data into a single .zip file and sends it to the server by making a POST request. The request also contains information about the system Hardware ID and country.
Image

Image
Image

Applications Targeted

Browsers

  • Chrome
  • Opera
  • Firefox
  • MapleStudio
  • Iridium
  • 7Star
  • CentBrowser
  • Chedot
  • Vivaldi
  • Kometa
  • ElementsBrowser
  • EpicPrivacyBrowser
  • uCozMedia
  • Coowon
  • liebao
  • QIPSurf
  • Orbitum
  • Comodo
  • Amigo
  • Torch
  • Comodo
  • 360Browser
  • Maxthon3
  • K-Melon
  • Sputnik
  • Nichrome
  • CocCoc
  • Uran
  • Chromodo
  • Edge
  • BraveSoftware

Crypto Wallets

  • AtomicWallet
  • BitcoinCore
  • DashCore
  • Electrum
  • Ethereum
  • Exodus
  • LitecoinCore
  • Monero
  • Jaxx
  • Zcash
  • Solar
  • Zap
  • AtomicDEX
  • Binance
  • Frame
  • TokenPocket
  • Wassabi

Crypto Wallet Extensions

  • Binance
  • coin98
  • Phantom
  • Mobox
  • XinPay
  • Math10
  • Metamask
  • BitApp
  • Guildwallet
  • iconx
  • Sollet
  • SlopeWallet
  • Starcoin
  • Swash
  • Finnie
  • KEPLR
  • Crocobit
  • OXYGEN
  • Nifty
  • Liquality
  • Auvitaswallet
  • Mathwallet
  • MTVwallet
  • Rabetwallet
  • Roninwallet
  • Yoroiwallet
  • ZilPaywallet
  • Exodus
  • TerraStation
  • Jaxx

Email Clients

Email Clients include Outlook

Other Applications

  • NordVPN
  • OpenVPN
  • ProtonVpn
  • Totalcomander
  • Filezilla
  • WinSCP
  • Steam

Messengers

  • Telegram
  • Signal
  • Tox
  • Element
  • Pidgin
  • Discord

Conclusion

Though BlackGuard has not had many applications, it still poses a big threat as it is continuously being developed and improved by underground hackers.

In order to prevent stealer malware like BlackGuard,

  • Inspect all traffic inbound and outbound
  • Use MFA where it can be induced
  • Prevent duplicate use of passwords
  • Prevent unknown sites from being visited
  • Prevent unknown from being opened
  • Use sandbox for unknown threats

Zscaler has published a full report on how this malware works and its analysis.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Website

Latest articles

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...

Resonance Security Launches Harmony to Monitor and Detect Threats to Web2 and Web3 Apps

Quick take:Harmony is the fourth cybersecurity application Resonance developed to address the disconnect in...

Beware! of New Phishing Tactics Mimic as HR Attacking Employees

Phishing attacks are becoming increasingly sophisticated, and the latest strategy targeting employees highlights this...

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022,...

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles