Bandit Stealer, a new malware discovered by cybersecurity firm Trend Micro, has become a cause for concern among internet users, especially those using cryptocurrency wallets and web browsers. The malware is designed to avoid detection and effectively steal personal and financial information.
The primary target of the malware is Windows-operating systems, and it utilizes the ‘runas[.]exe’ legitimate command-line tool to execute programs under different user permissions. The malware is designed to elevate privileges, gain administrative access, and bypass security measures to collect extensive user data.
One of the most striking features of the malware is its ability to evade antivirus software. It utilizes sandbox detection mechanisms to adapt its behavior and evade detection or analysis based on specific indicators it checks for. These indicators include a container, jail, KVM, QEMU, sandbox, Virtual Machine, VirtualBox, VMware, and Xen.
The Bandit Stealer malware was written using the Go programming language, which gives it cross-platform compatibility, enabling it to expand its impact to various platforms. The malware includes a Linux-specific command, which suggests that it may be designed to infect Linux machines and is likely undergoing testing. Accessing the “/proc/self/status” file path on a Windows system would lead to an error.
To bypass detection, the malware retrieves and saves the content from a Pastebin link, ‘hxxps[:]//pastebin[.]com/raw/3fS0MSjN’, in the AppData folder, as a file called “blacklist.txt.” This file contains details like Hardware IDs, IP addresses, MAC addresses, Usernames, Hostnames, and Process names. These details primarily serve the purpose of identifying whether the malware is operating within a sandbox or is undergoing testing.
The malware spreads through phishing emails, disguising itself as a harmless MS Word attachment that distracts the user while initiating the infection process in the background. Microsoft’s access control mechanism runs malware as an administrator with credentials when the user lacks sufficient privileges for program execution.
The malware modifies the Windows Registry, persists and collects personal and financial data from cryptocurrency wallets and web browsers. The malware also steals Telegram sessions for unauthorized access, enabling impersonation and malicious actions like accessing private messages and data.
The malware is designed to scan a wide range of web browsers and cryptocurrency wallets. The browsers include 7Star, YandexBrowser, Brave-Browser, Amigo, Torch, Google Chrome Canary, Google Chrome, Cent Browser, Sputnik, Iridium, Orbitum, UCozMedia, Epic Privacy Browser, Microsoft Edge, and Kometa. The wallets scanned include Clover Wallet, Jaxx Liberty, Wombat, TronLink, Trust Wallet, Crypto.com, and BitKeep: Crypto & NFT Wallet. The data that is stolen from the victim’s browser includes Login data, Cookies, Web history, and Credit card details.
Researchers have also found a fake Heart Sender installer that tricks users into launching embedded malware, automating spam SMS and email sending. Theft of information by Bandit Stealer and similar stealers enables attackers to engage in identity theft, data breaches, financial gain, account hijacking, credential-stuffing, selling to other cybercriminals, and conducting follow-on attacks like double extortion and ransomware.
The issue of malware attacks on internet users has become a serious concern worldwide. Users are strongly advised to regularly update their antivirus software and avoid downloading suspicious attachments or files from unknown sources. It is also essential to use two-factor authentication for sensitive financial information and avoid using public Wi-Fi for financial transactions. Furthermore, users should be aware of the latest trends and techniques used by cybercriminals to effectively secure their digital lives.