Tuesday, December 3, 2024
HomeCyber AttackNew SectopRAT Steals Browser Passwords, 2FA Codes

New SectopRAT Steals Browser Passwords, 2FA Codes

Published on

SIEM as a Service

LummaC, an information stealer, is being disseminated on Russian-speaking forums through a Malware-as-a-Service (MaaS) approach. Sensitive data from affected devices is intended to be stolen by this malware. 

Cryptocurrency wallets, browser add-ons, two-factor authentication credentials, and numerous files are some of the data that are targeted.

Recently, Cyble Research & Intelligence Labs (CRIL) discovered a cutting-edge strategy for disseminating SectopRAT. 

- Advertisement - SIEM as a Service

SectopRAT is a . NET-based remote access malware.  It has a wide range of capabilities, including stealing browser data and cryptocurrency wallet details.

This method involves retrieving the Amadey bot malware from the LummaC stealer and using it to deliver the SectopRAT payload.

The Attack Chain

The LummaC Stealer has mostly been spread using spear-phishing emails and phishing websites that seem to be legitimate software providers.

Infection chain

In the past, the LummaC stealer was spread via fraudulent websites like those selling fake Microsoft Sysinternals Suite. Spear-phishing emails were used to target YouTubers as well. It spread further by pretending to be illegal software cracks.

Researchers come across ZIP files that appear to contain the LummaC stealer malware in the wild. Through a YouTube campaign disguising them as software setup files, these files are being circulated. 

These files appear to have been labeled to lure users in and mislead them into running the malware they carry.

The TAs’ information indicates that LummaC2 is a next-generation stealer with a high success rate. Notably, it runs efficiently without any dependencies whatsoever on clean systems. 

One of its essential components is server-based log decryption. About 70 browser-based cryptocurrencies and 2FA addons are included in LummaC2’s expertise in data theft from Chromium and Mozilla-derived browsers. 

In 2018, the malware family known as “Amadey Bot” was discovered. It can do actions including investigating infected systems, acquiring information, and loading more malicious payloads. 

It was used by TAs to introduce several malware strains, such as the Flawed Ammyy Remote Access Trojan (RAT) and the GrandCrab ransomware.

SectopRAT Stealing Browser Passwords, 2FA Codes

The Remote Access Trojan (RAT) SectopRAT, also known as Arechclient, was created using the .NET compiler. It offers a broad range of functionalities, such as stealing browser information and Bitcoin wallet information. 

It may create a concealed secondary desktop that it utilizes to manage and keep an eye on browser sessions. 

Notably, SectopRAT has Anti-VM and Anti-Emulator techniques that are designed to make malware analysis more difficult.

“The malware begins scanning through the target system’s directories. It aims to retrieve sensitive data from files such as “Cookies,” “Local State,” “Login Data,” and “Web Data”, researchers explain.

“These files are sourced from a diverse array of over 35 web browsers, gaming platforms, and other software applications that have been installed on the compromised system”.

SectopRAT target application list to steal sensitive information

The malware can extract information from cryptocurrency wallet browser extensions in addition to particular folders through which it may access cryptocurrency wallets.

Hence, a new level of cyber threat complexity has been revealed by the identification of the LummaC-Amadey-SectopRAT alliance. This planned attack chain demonstrates how hackers have evolved their strategies, from data collection to payload dissemination.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...