New SectopRAT Steals Browser Passwords, 2FA Codes

LummaC, an information stealer, is being disseminated on Russian-speaking forums through a Malware-as-a-Service (MaaS) approach. Sensitive data from affected devices is intended to be stolen by this malware. 

Cryptocurrency wallets, browser add-ons, two-factor authentication credentials, and numerous files are some of the data that are targeted.

Recently, Cyble Research & Intelligence Labs (CRIL) discovered a cutting-edge strategy for disseminating SectopRAT. 

SectopRAT is a . NET-based remote access malware.  It has a wide range of capabilities, including stealing browser data and cryptocurrency wallet details.

This method involves retrieving the Amadey bot malware from the LummaC stealer and using it to deliver the SectopRAT payload.

The Attack Chain

The LummaC Stealer has mostly been spread using spear-phishing emails and phishing websites that seem to be legitimate software providers.

Infection chain

In the past, the LummaC stealer was spread via fraudulent websites like those selling fake Microsoft Sysinternals Suite. Spear-phishing emails were used to target YouTubers as well. It spread further by pretending to be illegal software cracks.

Researchers come across ZIP files that appear to contain the LummaC stealer malware in the wild. Through a YouTube campaign disguising them as software setup files, these files are being circulated. 

These files appear to have been labeled to lure users in and mislead them into running the malware they carry.

The TAs’ information indicates that LummaC2 is a next-generation stealer with a high success rate. Notably, it runs efficiently without any dependencies whatsoever on clean systems. 

One of its essential components is server-based log decryption. About 70 browser-based cryptocurrencies and 2FA addons are included in LummaC2’s expertise in data theft from Chromium and Mozilla-derived browsers. 

In 2018, the malware family known as “Amadey Bot” was discovered. It can do actions including investigating infected systems, acquiring information, and loading more malicious payloads. 

It was used by TAs to introduce several malware strains, such as the Flawed Ammyy Remote Access Trojan (RAT) and the GrandCrab ransomware.

SectopRAT Stealing Browser Passwords, 2FA Codes

The Remote Access Trojan (RAT) SectopRAT, also known as Arechclient, was created using the .NET compiler. It offers a broad range of functionalities, such as stealing browser information and Bitcoin wallet information. 

It may create a concealed secondary desktop that it utilizes to manage and keep an eye on browser sessions. 

Notably, SectopRAT has Anti-VM and Anti-Emulator techniques that are designed to make malware analysis more difficult.

“The malware begins scanning through the target system’s directories. It aims to retrieve sensitive data from files such as “Cookies,” “Local State,” “Login Data,” and “Web Data”, researchers explain.

“These files are sourced from a diverse array of over 35 web browsers, gaming platforms, and other software applications that have been installed on the compromised system”.

SectopRAT target application list to steal sensitive information

The malware can extract information from cryptocurrency wallet browser extensions in addition to particular folders through which it may access cryptocurrency wallets.

Hence, a new level of cyber threat complexity has been revealed by the identification of the LummaC-Amadey-SectopRAT alliance. This planned attack chain demonstrates how hackers have evolved their strategies, from data collection to payload dissemination.

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

15 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

15 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

16 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

17 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

18 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

18 hours ago