New credential stealing malware named Zaraza bots offered for sale on Telegram while also using the popular messaging service as command-and-control (C2).
“Zaraza bot targets a large number of web browsers and is actively distributed on the Russian Telegram hacker channel which is popular with threat actors,” cybersecurity firm Uptycs said in a report published last week.
“Once the malware infects the victim’s computer, it retrieves sensitive data and sends it to Telegram’s servers where attackers can access it immediately.”
A 64-bit binary file compiled using C#, Zaraza bot is designed to target as many as 38 different web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. It is also equipped to capture screenshots of the active window.
This is the latest example of malware capable of capturing login credentials associated with online bank accounts, cryptocurrency wallets, email accounts and other websites deemed valuable to operators.
Stolen credentials pose a serious risk as they can not only allow threat actors to gain unauthorized access to victims’ accounts, but also commit identity theft and financial fraud.
Evidence gathered by Uptycs points to the Zaraza bot being offered as a commercial tool for other cyber criminals to subscribe to. It is currently unclear how the malware is propagated, but information thieves have typically utilized methods such as malvertising and social engineering in the past.
This finding comes from eSentire’s Threat Response Unit (TRU). disclosed a GuLoader (aka CloudEyE) campaign targeting the financial sector via phishing emails using tax-themed bait to deliver information thieves and remote access trojans (RATs) such as Remcos RAT.
This development also follows a surge in malvertising techniques and search engine poisoning to distribute a growing number of malware families by enticing users looking for legitimate applications to download bogus installers containing thieves’ payload.
Russian cyber security company Kaspersky, in a new analysisdiscloses the use of trojan cracking software downloaded from BitTorrent or OneDrive to spread CueMiner, a .NET-based downloader that acts as a conduit for installing cryptocurrency miners known as SilentCryptoMiner.
To reduce the risk stemming from malware thieves, we recommend that users enable two-factor authentication (2FA) and apply software and operating system updates when they become available.