Newly Discovered ThirdEye Windows-Based Malware Steals Sensitive Data
Previously undocumented Windows-based information thieves called Third eye it has been found in the wild with the ability to retrieve sensitive data from infected hosts.
Fortinet FortiGuard Labs, which make discoveriesit said it found malware in the executable masquerading as pdf files under the Russian name “CMK Rules for removing sickleaf.pdf.exe”, which translates to “CMK Rules for removing sickleaf.pdf.exe.”
The vector for the arrival of the malware is currently unknown, although the lure nature of the malware suggests it is being used in phishing campaigns. Very first ThirdEye sample uploaded to VirusTotal on April 4, 2023, with relatively few features.
Growing Thief, like other malware families of its kind, is equipped to collect system metadata, including BIOS release date and vendor, total/free disk space on drive C, running processes, registered usernames, and volume information. The collected details are then sent to a command-and-control (C2) server.
An important feature of this malware is that it uses the string “3rd_eye” to indicate its presence to the C2 server.
There are no signs indicating that ThirdEye has been used in the wild. Having said that, given that most of the thieves’ artifacts uploaded to VirusTotal are from Russia, it’s likely that the malicious activity was directed at Russian-speaking organizations.
“While this malware is not considered sophisticated, it is designed to steal a wide range of information from compromised machines that can be used as a springboard for future attacks,” said Fortinet researchers, adding the data collected is “valuable for understanding and narrowing down potential targets.” “
Development comes as trojan installer for the popular Super Mario Bros video game franchise hosted on cryptic torrent sites used to deploy an open source cryptocurrency miner and thief written in C# called Umbral that extracts interesting data using Discord Webhooks.
“The combination of mining and stealing causes financial loss, a substantial reduction in victim system performance, and depletion of valuable system resources,” Cyble said.
 |
| SeroXen infection chain |
Video game users are also targeted Python based ransomware and a remote access trojan dubbed SeroXen, which was found to utilize a commercial batch file obfuscation engine known as ScrubCrypt (aka BatCloak) to evade detection. Evidence suggests that actors associated with the development of SeroXen also contributed to the creation of ScrubCrypt.
Malware, advertised for sale in a clearnet website which was registered on March 27, 2023 before closing at the end of May, is further promoted on Discord, TikTok, Twitter and YouTube. A cracked version of SeroXen it has since found its way onto criminal forums.
“Individuals are strongly advised to exercise skepticism when encountering linked and packaged software related to terms such as ‘cheat’, ‘hack’, ‘crack’ and other software related in order to gain a competitive advantage,” Trend Micro noted in a new analysis of SeroXen.
“The addition of SeroXen and BatCloak to the bad actor’s malware arsenal highlights the evolution of the FUD obfuscator with a low barrier to entry. The almost amateurish approach of using social media for aggressive promotion, given how easily it can be tracked, makes these developers seem like rookies by threat actor standards.” carry on.”
