Search This Blog

Showing posts with label Info Stealer. Show all posts

Titan-Stealer: A New Golang-based Info-Stealer Malware

Recently, a new Golang-based information stealer malware, named ‘Titan Stealer’ is being promoted by threat actors in their Telegram channel. Initial details regarding the malware were discovered by cybersecurity researcher Will Thomas in November 2022 by using the IoT search engine Shodan. 

Titan is advertised as a malware builder that enables users to alter the malware binary's functionality and the type of data that will be extracted from a victim's system. 

The malware, when launched, initiates a technique called ‘process hollowing’ in order to disseminate the malicious payloads into the memory of a legitimate process called AppLaunch.exe, Microsoft’s .NET ClickOnce Launch Utility. 

According to a recent report by Uptycs security, researchers Karthickkumar Kathiresan and Shilpesh Trivedi say, “the stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.” 

Targets of The Info Stealer 

The Titan Stealer has been targeting web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. The crypto wallets singled out are Armory, Atomic, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash. 

Additionally, it has the ability to collect data from the Telegram desktop app and compile a list of the host's installed programs. 

The gathered information is then transmitted as a Base64-encoded archive file to a remote server under the attacker's control. Additionally, the malware includes a web panel that enables threat actors to access the stolen data. 

How is the Titan Stealer Operated? 

The exact approach used to distribute the malware is still unclear, but the threat actors have utilized numerous methods, such as phishing, malicious ads, and cracked software. 

"One of the primary reasons [threat actors] may be using Golang for their information stealer malware is because it allows them to easily create cross-platform malware that can run on multiple operating systems, such as Windows, Linux, and macOS," says Cyble in its analysis of Titan Stealer. "Additionally, the Go compiled binary files are small in size, making them more difficult to detect by security software." 

The findings come a little over two months after SEKOIA unveiled Aurora Stealer, another Go-based malware that is being used by a number of criminal actors in their campaigns. 

The malware often spreads through websites that mimic a renowned software, with the same domains being continuously updated to host trojanized versions of different programs. 

It is also found to be taking advantage of a tactic called padding in order to artificially inflate the size of the executables to as much as 260MB by adding random data, in order to evade detection by antivirus software. 

2K Games’ Support System Hacked via Notorious Malware


Days after a hacker targeted Rockstar Games, another American video game developer 2K reportedly suffered a targeted cyberattack wherein the attackers designed a clone version of its support system. The hackers employed RedLine password-stealing malware to access the company’s help desk. 

In a tweet, the video game publisher said it recently unearthed that a hacker managed to “illegally access” the credentials of one of its vendors to the helpdesk platform. 

The company advised users to reset the account passwords stored in their web browser and enable two-factor authentication wherever possible — while avoiding 2FA with text message verification. Additionally, players can install and run a trustable antivirus program and scan their account settings to see if any forwarding rules have been added to their email accounts. 

"The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account," the company warned. 

Although 2K did not name the vendor, notably the company uses Zendesk Inc. for its support portal. It’s unknown if a Zendesk account was compromised or if the account belongs to another third-party vendor used by 2K, which also had access to the Zendesk-powered support portal. 

According to Bleeping Computer, the malicious texts received by 2K users originated from a fake 2K support representative called “Prince K.” The messages included an attached file named “2K” hosted directly on, which pretended to be a new game launcher. 

The zip file contained an unsigned file called “2k Launcher.exe” that included RedLine Stealer, a low-cost malware employed to siphon a wide range of data after infecting one's system, including web browser history, cookies, saved browser passwords, credit cards, VPN credentials, instant messaging content, cryptocurrency wallets, and more.

“The depth of 2K Games breach is another cautionary tale of supply chain security,” David Maynor, senior director of threat intelligence at cybersecurity training company Cybrary Inc., stated. “This compromise allowed the attackers to send official mail and hosting malware directly on their help desk services.” 

Maynor added that the scope of the attack appeared restricted only by the hackers’ imagination. “2K Games just released ‘NBA 2K23,’ a popular basketball franchise that brought extra scrutiny to the 2K Games support platform,” he said.

Discord Users Targeted by Malicious Npm Packages


Kaspersky researchers have unearthed yet another supply chain attack campaign employing multiple malicious npm packages, this time targeting Discord users to steal their payment card information. 

The malware employed in these attacks is a modified version of an open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer. 

“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines and the victim’s IP address and upload them via HTTP,” reads the analysis published by Igor Kuznetsov and Leonid Bezvershenko. 

The malware monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information. 

Subsequently, the harvested data is uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co). 

“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions, researchers added. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded,” the analysis further read.

Kaspersky states that they are constantly monitoring the updates to repositories to rapidly scan and remove all new malicious packages. 

According to researchers, this is a repetitive process among malicious npm packages, and it's just one of the seemingly endless streams of malware specifically designed to target Discord users in recent years with info stealers. 

For example, in 2019, malware dubbed Spidey Bot was employed to alter the Windows Discord user to backdoor it and deploy an information-stealing trojan. Last year, malicious npm and PyPI libraries were also employed to target Discord users, steal their user tokens and browser information, and deploy MBRLocker data wiping malware called Monster Ransomware. 

Earlier this year, JFrog researchers uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults.

XFiles Malware Exploits Follina, Expands ItsAttacks

What is XFiles?

The X-Files info stealer malware has put a new vulnerability in its systems to exploit CVE-2022-30190- Follina, and attack targeted systems with malicious payloads. A cybersecurity firm said that the new malware uses Follina to deploy the payload, run it, and take control of the targeted computer. "In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine," says Bleeping Computers.  

How is Follina infected? 

•The malware, sent in the victims' spam mail, consists of an OLE object that directs to an HTML file on an external resource that has JavaScript code, which exploits Follina. 

•After the code is executed, it gets a base64-encoded string that contains PowerShell commands to make a presence in the Windows startup directory and deploy the malware. 

•The second-stage module, "ChimLacUpdate.exe," consists of an AES decryption key and a hard-coded encryption shellcode. An API call decodes it and deploys it in the same running process. 

•After infection, XFiles starts normal info stealer malware activities like targeting passwords and history stored in web browsers, cookies, taking screenshots, and cryptocurrency wallets, and look for Telegram and Discord credentials. 

•The files are locally stored in new directories before they are exfiltrated via Telegram. 

The XFiles is becoming more active 

• A cybersecurity agency said that XFiles has expanded by taking in new members and initiating new projects. 

• A project launched earlier this year by Xfiles is called the 'Punisher Miner.' 

• However, it's an irony that a new mining tool will charge $9, the same as how much XFiles costs for a month of renting the info stealer. 

CyWare Social says "it appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks."

Info Stealer Identified in a PyPI Package


GitHub user duxinglin1 has identified three PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' using a malicious dependency, 'request,' 

Last month, duxinglin1 uncovered the vulnerable versions containing the misspelled 'request' dependency, rather than the authentic 'requests' library. CVEs assigned to the susceptible versions include: 

• CVE-2022-30877 - 'keep' version 1.2 contains the backdoor 'request', 
• CVE-2022-30882 - 'pyanxdns' version 0.2 impacted 
• CVE-2022-31313 - 'api-res-py' version 0.1 impacted 

According to duxinglin1, the risk with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average, while it is quite opposite with 'pyanxdns' and 'api-res-py' as they are small-scale projects. 

Two years back in 2020, Tencent Onion Anti-Intrusion System unearthed a malicious typosquat 'request' uploaded to the PyPI registry which copied the requests HTTP library but surprisingly dropped malicious info-stealers. 

"We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by PyPI, many mirror sites did not completely delete this package, so it could still be installed,” duxinglin1 explained. The malicious backdoor inside the counterfeit 'request' includes a base64-encoded URL to the ''. 

The file '' is loaded with a Remote Access Trojan (RAT), while 'x.pyx' contains data theft malware that exfiltrates cookies and private data from web browsers like Chrome, Firefox, Yandex, Brave, and others. Subsequently, the hackers with access to user credentials attempt to exploit other accounts employed by the developer, potentially leading to additional supply-chain attacks. 

When Bleeping Computer contacted the developers of each of these packages to identify whether this was due to a simple typographical error, or hijacking of maintainer accounts. The author of 'pyanxdns', Marky Egebäck, confirmed this was a result of a typographical error rather than an account compromise. 

Additionally, it appears that the developers of the other two packages also introduced 'request' rather than the legitimate 'requests' due to an innocent typing error. 

"Sorry to say by a simple typo in the file since git history shows that this was added when the install requires was added by me. This was [an] honest mistake based on a typo in the I generally don’t publish things on PyPI but I made this quickly for a friend and myself. Not sure if he has promoted this but the purpose was mainly for personal use in [an] internal docker project," stated Egebäck.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 


Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

Researchers Warn of Fake Windows 11 Upgrade Containing Info Stealing Malware


Cybercriminals are tricking users into installing a fake Windows 11 upgrade that includes malware that steals data from web browsers and crypto-wallets. The malicious campaign that is still running operates by poisoning search results to drive traffic to a website impersonating Microsoft’s Windows 11 advertising page and offering the information stealer. 

According to CloudSEK threat researchers who analyzed the malware and published a technical report, malicious actors are focusing on people who rush to install Windows 11 without first learning that the OS must satisfy specific requirements. 

The rogue website advertising the false Windows 11 has official Microsoft logos, favicons, and a “Download Now” button. It looks legitimate at first glance, but the URL reveals the site as fraudulent. If visitors access the malicious website directly (download is not possible via TOR or VPN), they will receive an ISO file containing the executable for new information-stealing malware. 

The CloudSEK researchers named the new malware 'Inno Stealer' as it uses the Inno Setup Windows Installer. The researchers said that Inno Stealer has no code in common with other presently circulating info-stealers. Once active, the malware plants a pair of files that disable various Windows security measures, including those in the registry. They also wipe out software from anti-virus companies Emsisoft and ESET. 

Inno Stealer’s capabilities are typical for this kind of malware, including the ability to collect web browser cookies and passwords, data from cryptocurrency wallets, and data from the disk. The set of targeted browsers and crypto wallets is extensive, including Chrome, Edge, Brave, Opera, Vivaldi, 360 Browser, and Comodo. 

The malware can also steal extra payloads, an action only performed at night, potentially to take advantage of the victim’s absence from the computer. These additional Delphi payloads, which are TXT files, use the same Inno-based loader that fiddles with the host’s security tools and employs an identical persistence methodology. They also have the ability to grab clipboard data and exfiltrate directory enumeration data. 

To mitigate the risks, researchers recommended avoiding downloading ISO files from obscure sources and instead undertaking significant OS updates using the Windows 10 control panel or obtaining the installation files directly from the source. If you can’t upgrade to Windows 11, there’s no point in attempting to bypass the limitations manually since this will come with a slew of drawbacks and severe security risks.

Malspam Campaign Spreads Novel META Info-stealer


The new META malware, a unique info-stealer malware that appears to be gaining popularity among hackers, has been discovered in a malspam campaign. 

META, along with Mars Stealer and BlackGuard, is one of the latest info-stealers whose administrators aim to profit from Raccoon Stealer's absence from the market, which has left many looking for a new platform.  META was initially reported on the Bleeping Computer last month when KELA experts cautioned of its quick entry into the TwoEasy botnet marketplace. The product is advertised as an upgraded version of RedLine and costs $125 per month for monthly users or $1,000 for unlimited lifetime use. 

META is currently being utilised in attacks, according to security researcher and ISC Handler Brad Duncan. It is being used to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets. The infection chain in this campaign uses the "standard" approach of sending a macro-laced Excel spreadsheet as an email attachment to potential victims' inboxes. The communications make fictitious financial transfer promises that aren't very persuasive or well-crafted, yet they can nonetheless be effective against a considerable percentage of recipients. 

A DocuSign bait is included in the spreadsheet files, urging the target to "allow content" in order to launch the malicious VBS macro in the background. The malicious script will download a variety of payloads, including DLLs and executables, when it runs. To avoid detection by the security software, some of the downloaded files are base64 encoded or have their bytes reversed. 

One of the samples Duncan collected, for example, has its bytes reversed in the original file. The full payload is eventually assembled on the machine under the name "qwveqwveqw.exe," which is most likely random, and a new registry entry for persistence is created. The EXE file generating activity to a command and control server at 193.106.191[.]162, even after the system reboots, is clear and persistent evidence of the infection, restarting the infection process on the affected machine. 

One thing to keep in mind is that META uses PowerShell to tell Windows Defender to exclude .exe files in order to protect its files from discovery.

Info Stealing BlackGuard Malware is Advertised for Sale on Russian Hacking Forums


A sophisticated information stealer dubbed BlackGuard is gaining the attention of the cybercrime community. The malware is advertised for sale on multiple Russian hacking forums with a lifetime price of $700 or a subscription of $200 per month. 

This low value and ease of access may permit a thrifty menace actor to loot hundreds of cryptocurrency wallets, financial institution accounts, and much with little to no work, researchers at Zscaler who spotted and analyzed the malware explained. 

The malware was first spotted on Russian-language hack forums in January 2022, but then it was distributed privately and was at the testing stage. As with all modern information-stealers, BlackGuard exfiltrates information from almost any application that processes sensitive user data, with a focus on crypto assets. In an infected system, BlackGuard looks for the following applications to steal user data from them: 
  • Web browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo. 
  • Wallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx 
  • Cryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi 
  •  Email: Outlook 
  •  Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord 

The gathered information is bundled in a ZIP file, also known as logs, and is sent to the attackers’ C&C server via a POST request, along with a system profile report that assigns a unique identifier to the victim’s equipment.

In terms of bypassing BlackGuard’s capabilities are still under development, but some systems are already in place to avoid detection and analysis. First, the malware is packed with a crypter, and the code is obfuscated using base64. Finally, it will inspect the operating system’s processes and try to block any actions linked to antivirus software or sandboxing once it landed on a vulnerable workstation.

How to avoid the installation of malware? 

To mitigate the risks, you must avoid visiting shady websites and downloading files from untrustworthy or dubious sources. Furthermore, use two-factor authentication, keep your OS and applications updated, and use strong and unique passwords for all your online accounts. If you believe that your computer is already compromised, researchers recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.