A new stealthy information-stealing malware called bandit thief has caught the attention of cybersecurity researchers for its ability to target numerous web browsers and cryptocurrency wallets.
"It has the potential to expand to other platforms, as Bandit Stealer was developed using the Go programming language, possibly allowing for cross-platform compatibility," Trend Micro saying in a report on Friday.
The malware is currently focused on targeting Windows by using a legitimate command line tool called speech.exe which allows users to run programs as another user with different permissions.
The goal is to escalate privileges and run with administrative access, thus effectively bypassing security measures to collect large amounts of data.
That being said, Microsoft's access control mitigations to prevent unauthorized execution of the tool mean that an attempt to run the malware binary as an administrator requires providing the necessary credentials.
"By using the runas.exe command, users can run programs as administrator or any other user account with appropriate privileges, providing a more secure environment to run critical applications or perform system-level tasks," Trend Micro said.
"This utility is particularly useful in situations where the current user account does not have sufficient privileges to run a specific command or program."
Bandit Stealer incorporates checks to determine if it is running in a sandbox or virtual environment and terminates a list of blocked processes to hide its presence on the infected system.
It also establishes persistence by modifying the Windows Registry before beginning its data collection activities that include harvesting personal and financial data stored in web browsers and crypto wallets.
Bandit Stealer is said to be distributed via phishing emails containing a file dropper that opens a seemingly innocuous Microsoft Word attachment as a distraction while triggering the infection in the background.
Trend Micro said it also detected a fake installer for Heart Sender, a service that automates the process of sending spam emails and SMS messages to numerous recipients, which is used to trick users into running embedded malware.
The development comes as the cyber security firm discovered a Rust-based information stealer targeting Windows that take advantage of to GitHub Code Spaces Webhook controlled by the attacker as an exfiltration channel to obtain the victim's web browser credentials, credit cards, cryptocurrency wallets, and Steam and Discord tokens.
The malware, in what is a relatively uncommon tactic, achieve persistence into the system by modifying the installed Discord client to inject JavaScript code designed to capture information from the application.
The findings also track the emergence of various strains of Commodity stealing malware as Luke, StrelaStealer, Dark cloud, White Snakeand undefeated thiefsome of which have been observed propagator through spam emails and fraudulent versions of popular software.
Another notable trend has been the wear of Youtube videos to advertise pirated software through compromised channels with millions of subscribers.
The data collected by thieves can benefit operators in many ways, allowing them to exploit purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account hijacking.
Zero Trust + Deception: Learn to outsmart the attackers!
Find out how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
Stolen information can also be sold to other actors, serving as the basis for follow-on attacks that can range from targeted campaigns to ransomware or extortion attacks.
These developments highlight the continuous evolution of thief malware into a deadlier threat, just as the malware-as-a-service (MaaS) marketplace makes them readily available and lowers the barriers to entry for aspiring cybercriminals.
In fact, data collected by the Secureworks Counter Threat Unit (CTU) has revealed a "thriving market for information thieves", with the volume of records stolen from underground forums like the Russian Market registering a 670% increase between June 2021 and May 2023.
"Russian Market offers five million trunks for sale, about ten times more than its closest forum rival, 2easy," the company said.
"Russian Market is well established among Russian cybercriminals and is widely used by threat actors around the world. Russian Market recently added records of three new thieves, suggesting that the site is actively adapting to the changing landscape of e-crime." .
The MaaS ecosystem, despite increasing sophistication, has also been in a state of flux, with law enforcement actions prompting threat actors to sell your warez on telegram.
"What we're seeing is an entire underground economy and supporting infrastructure built around information thieves, making it not only possible, but also potentially lucrative, for relatively unskilled threat actors to get involved," Don Smith, vice president of Secureworks CTU, saying.
"Coordinated global law enforcement action is having some impact, but cybercriminals are adept at reshaping their routes to market."
