Wednesday, January 15, 2025
HomeComputer SecurityPassword-stealing Malware 'Predator the Thief' Delivered Through Weaponized Word Documents

Password-stealing Malware ‘Predator the Thief’ Delivered Through Weaponized Word Documents

Published on

The new version of Predator the Thief malware distributed through fake invoice documents aimed to steal sensitive user information.

The malware was first observed by Fortinet in July of 2018, the threat actors behind the malware family upgrading it in short intervals to make it more stealthy.

It is fully written in C/C++ and the malware sold in underground forums pricing between $35 to $80.

Predator the Thief Latest Campaign

Fortinet observed a recent campaign of Predator the Thief with version 3.3.4 with enhanced capabilities.

The campaign uses multiple fake invoice documents that deliver Predator the Thief malware as the final payload.

Once the user opens the word document, AutoOpen macro runs the malware VBA script, which downloads three files using Powershell.

Predator the Thief
Malware Process Flow

VjUea.dat – Legitimate version of AutoIt3.exe
SevSS.dat – Base64-encoded AutoIt script that uses certutil.exe for decoding
apTz.dat – RC4-encrypted Predator the Thief malware

The SevSS.dat script decoded by using the certutil.exe tool once decoded it uses legitimate AutoIt3.exe to run decoded AutoIt script. Then AutoIt script decrypts the apTz.dat, which is the final payload of Predator the Thief.

The malware sends the stolen information as a zip file, the zip file won’t get generated in the file system, instead, it adds the zip file directly from memory to the request data.

C2 Server Communications

Communication with the C2 servers established through API and they are encrypted using basic base64 and RC4 algorithms.

The following are the information collected and sent to the C2 servers.

  1. Password Information
  2. Cookies
  3. Payment cards
  4. Steam, Skype accounts information
  5. Wallets Information
  6. Telegram accounts
  7. Crc32 checksum anti-debug result
  8. Module execution method configuration

The malware continues to evolve and abuses legitimate tools to execute the payload and to avoid detection.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers....