New Stealthy Bandit Stealer Targets Web Browsers and Cryptocurrency Wallets

New hidden information stealing malware called Bandit Thief has caught the attention of cybersecurity researchers for its ability to target multiple web browsers and cryptocurrency wallets.

“Has the potential to expand to other platforms as Bandit Stealer was developed using the Go programming language, enabling cross-platform compatibility,” Trend Micro said in Friday’s report.

The malware is currently focused on targeting Windows by using an official command line tool called speech. exe which allows the user to run the program as another user with different permissions.

Its purpose is to elevate privileges and execute itself with administrative access, thereby effectively bypassing security measures to harvest large amounts of data.

That said, Microsoft’s access control mitigation to prevent unauthorized tool execution means attempts to run malware binaries because administrators require the necessary credentials.

“Using the runas.exe command, users can run the program as an administrator or other user account with appropriate privileges, providing a more secure environment for running critical applications, or performing system-level tasks,” said Trend Micro.

“This utility is particularly useful in situations where the current user account does not have sufficient privileges to execute certain commands or programs.”

Bandit Stealer incorporates checks to determine whether it is running in a sandbox or virtual environment and ends the list of blocked processes to hide its presence on infected systems.

It also establishes persistence through Windows Registry modifications before commencing its data collection activities which include capturing personal and financial data stored in web browsers and crypto wallets.

Bandit Stealer is said to be distributed via phishing emails that contain a file dropper that opens seemingly harmless Microsoft Word attachments as a distraction maneuver while triggering background infection.

Trend Micro said it also detected fake installers from Heart Sender, a service that automates the process of sending spam email and SMS messages to multiple recipients, which are used to trick users into launching embedded malware.

The development comes when a cybersecurity company discovered a Rust-based information thief targeting Windows leverage GitHub Codespaces webhooks controlled by attackers as an exfiltration channel to obtain victims’ web browser credentials, credit cards, cryptocurrency wallets, and Steam and Discord tokens.

Malware, with relatively uncommon tactics, achieve persistence on the system by modifying the installed Discord client to inject JavaScript code designed to capture information from the application.

The findings also follow the emergence several strains commodity-stealing malware like LucaStrelaStealer, Dark cloud, White SnakeAnd Invicta Thiefsome of them have observed spread via spam emails and fraud version of popular software.

Another important trend is usage YouTube videos to advertise hacked software through compromised channels with millions of subscribers.

Data collected from thieves can benefit operators in many ways, allowing them to exploit purposes such as identity theft, financial gain, data breaches, credential stuffing attacks and account takeovers.

Stolen information can also be sold to other actors, serving as the basis for follow-up attacks which can range from targeted campaigns to ransomware or extortion attacks.

This development highlights the continued evolution of thieving malware into more lethal threats, just as the malware-as-a-service (MaaS) market makes it available and lowers barriers to entry for would-be cybercriminals.

Indeed, the data collected by the Secureworks Counter Threat Unit (CTU) has revealed a “thriving infostealer market”, with the volume of logs stolen on underground forums such as Russian Market registering a 670% jump between June 2021 and May 2023.

“The Russian market offers five million logs for sale, about ten times more than its nearest forum rival 2easy,” the company said.

“The Russian market is well established among Russian cybercriminals and is widely used by threat actors around the world. The Russian market recently added records from three new thieves, indicating that the site is actively adapting to the ever-changing e-crime landscape. “

The MaaS ecosystem, despite its increasing sophistication, is also in a state of flux, with law enforcement actions encouraging threat actors to peddle their devices on Telegram.

“What we’re seeing is an entire underground economy and supporting infrastructure built around the infostealer, making it not only possible but potentially profitable for low-skilled threat actors to engage,” Don Smith, vice president of Secureworks CTU, said.

“Coordinated global action by law enforcement is having some impact, but cybercriminals are adept at reshaping their routes to market.”