New SectopRAT Steals Browser Passwords, 2FA Codes

LummaC, an information stealer, is being disseminated on Russian-speaking forums through a Malware-as-a-Service (MaaS) approach. Sensitive data from affected devices is intended to be stolen by this malware. 

Cryptocurrency wallets, browser add-ons, two-factor authentication credentials, and numerous files are some of the data that are targeted.

Recently, Cyble Research & Intelligence Labs (CRIL) discovered a cutting-edge strategy for disseminating SectopRAT. 

SectopRAT is a . NET-based remote access malware.  It has a wide range of capabilities, including stealing browser data and cryptocurrency wallet details.

This method involves retrieving the Amadey bot malware from the LummaC stealer and using it to deliver the SectopRAT payload.

The Attack Chain

The LummaC Stealer has mostly been spread using spear-phishing emails and phishing websites that seem to be legitimate software providers.

In the past, the LummaC stealer was spread via fraudulent websites like those selling fake Microsoft Sysinternals Suite. Spear-phishing emails were used to target YouTubers as well. It spread further by pretending to be illegal software cracks.

Researchers come across ZIP files that appear to contain the LummaC stealer malware in the wild. Through a YouTube campaign disguising them as software setup files, these files are being circulated. 

These files appear to have been labeled to lure users in and mislead them into running the malware they carry.

The TAs’ information indicates that LummaC2 is a next-generation stealer with a high success rate. Notably, it runs efficiently without any dependencies whatsoever on clean systems. 

One of its essential components is server-based log decryption. About 70 browser-based cryptocurrencies and 2FA addons are included in LummaC2’s expertise in data theft from Chromium and Mozilla-derived browsers. 

In 2018, the malware family known as “Amadey Bot” was discovered. It can do actions including investigating infected systems, acquiring information, and loading more malicious payloads. 

It was used by TAs to introduce several malware strains, such as the Flawed Ammyy Remote Access Trojan (RAT) and the GrandCrab ransomware.

SectopRAT Stealing Browser Passwords, 2FA Codes

The Remote Access Trojan (RAT) SectopRAT, also known as Arechclient, was created using the .NET compiler. It offers a broad range of functionalities, such as stealing browser information and Bitcoin wallet information. 

It may create a concealed secondary desktop that it utilizes to manage and keep an eye on browser sessions. 

Notably, SectopRAT has Anti-VM and Anti-Emulator techniques that are designed to make malware analysis more difficult.

“The malware begins scanning through the target system’s directories. It aims to retrieve sensitive data from files such as “Cookies,” “Local State,” “Login Data,” and “Web Data”, researchers explain.

“These files are sourced from a diverse array of over 35 web browsers, gaming platforms, and other software applications that have been installed on the compromised system”.

The malware can extract information from cryptocurrency wallet browser extensions in addition to particular folders through which it may access cryptocurrency wallets.

Hence, a new level of cyber threat complexity has been revealed by the identification of the LummaC-Amadey-SectopRAT alliance. This planned attack chain demonstrates how hackers have evolved their strategies, from data collection to payload dissemination.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.