One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8320836 |
| Date de publication | 2023-03-23 10:00:00 (vue: 2023-03-23 10:06:34) |
| Titre | Blackguard Stealer étend ses capacités dans une nouvelle variante [BlackGuard stealer extends its capabilities in new variant] |
| Texte | AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.
Key takeaways:
BlackGuard steals user sensitive information from a wide range of applications and browsers.
The malware can hijack crypto wallets copied to clipboard.
The new variant is trying to propagate through removable media and shared devices.
Background
BlackGuard stealer is malware as a service sold in underground forums and Telegram since 2021, when a Russian user posted information about a new malware called BlackGuard. It was offered for $700 lifetime or $200 monthly, claiming it can collect information from a wide range of applications and browsers.
In November 2022, an update for BlackGuard was announced in Telegram by its developer. Along with the new features, the malware author suggests free help with installing the command & control panel (Figure 1)
Figure 1. Announcement of new malware version in its Telegram channel.
Analysis
When executed, BlackGuard first checks if another instance is running by creating a Mutex.
Then to ensure it will survive a system reboot, the malware adds itself to the “Run” registry key. The malware also checks if it\'s running in debugger mode by checking TickCount and checking if the current user belongs to a specific list to determine whether it is running in a malware sandbox environment. (Figure 2)
Figure 2. Malware will avoid execution if running under specific user names.
Now all is ready for stealing the user’s sensitive data. It collects all stolen information in a folder where each piece of data is stored in a specific folder, such as Browsers, Files, Telegram, etc. (Figure 3)
Figure 3. BlackGuard main folder with stolen data divided into folders.
When it finishes collecting sensitive data, the malware will zip the main folder using the password “xNET3301LIVE” and send it to its command & control. (Figure 4)
Figure 4. Zipping exfiltrated data with password and uploading to command & control.
Browser stealth
Along with collecting cookies, history and downloads of different browsers, BlackGuard also looks for the existence of special files and folders of different browsers. (This includes “Login Data”, AutoFill, History and Downloads. (Figure 5)
Figure 5. Collecting browser information.
Below is the list of browsers BlackGuard is looking for:
Chromium
|
| Envoyé | Oui |
| Condensat | $200 $700 “autorun “discord “login “microsoft “my “process “terra cryptocurrency outlook 001: 002: 114 131 2021 2022 2035398: 2035716: 360browser 7star 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3malware Comfortable Dragon Liebao Maxthon3 Qip about access activities activity actor’s adamant added adding addition additional additionally addons addons: address addresses adds advantage aiding ale alien all along also alternative although amigo analysis announced announcement annoying another anti any api application application’s applications applications: are armory arrives assets associated at&t atomic att&ck attacker attacks author autofill automated automatically auvitas available avoid background battlet bch belongs below below: beta binance bitapp bitcoin blackguard brave browser browsers browsers’ btc but called can canary capabilities cash cause cdrom centbrowser channel checking checks chedot chrome chromeplus chromium chromodo citrus claiming clipboard coccoc coin98 coins collect collected collecting collection collects comfortable command commander common communication config config” connected content control cookie cookies coowon copied copies creating credential credentials crocobit crypto cryptocurrency cryptotab ctrl+c currency current dash data data” debugger default defense deploy description detection detections determine developer device devices different difficult directories directory discord discord’s discovered discovery divided doc” documents documents” docx” done download downloaded downloads drive drives dumping duplication each edge edge/edgebeta electrum element elements email end ensure environment environments epic equal etc eth ethereum evasion every evolved example exe execute executed executes execution exfil exfiltrated exfiltrating exfiltration existence exodus expression extends extension extensions external extract feature features figure file files filezilla findings finishes finnie finx first flint folder folders following for: forbole forums found frame framework64 free from from: ftp gains gaming generates goby guarda guild handler handles hardcoded has hash have help hijack hijacking history history and hive hollowing” http://23 iconex ids include includes including indicator indicators inf” infect infected infecting infinity information ingress initial injected injection installation installed installing instance instead instrumentation intelligence iocs iridium its itself jaxx keplr key keys kometa labs lateral layer ldb” leap legitimate/whitelisted leveldb” liberty lifetime limited liquality list listed litecoin local localization login looking looks ltc machine maiar main make malware malware using management mapped massive match matching math matrix may media melon messaging metamask method methods microsoft miranda mitre mobox mode monero monthly more mostly movement msil/blackguard mtv mutex nabox name names native nec nectar net new newly nifty nordvpn not note noticing november now obfuscated observed offered old once one only onto openvpn opera operagx orbitum other otx out outlook own oxygen panel parses password passwords path pdgin persistence phantom phishing pidgin piece please pocket points popular posted previous privacy process processes programs propagate protocol protonvpn proxifier ptb pulse queries query rabet random range rdp” readers ready reboot recursively regasm regex registry regular related relative removable replace replacing replication report reported repositories research researchers ripple ronin run running runtime runtimedirectory russian same sandbox saved/installed scope search searches send sender sends sensitive server service session setting settings sha256 shared signal signatures since sleipnir5 slope software solar sold sollet some spear special specific sputniknichrome starcoin startup station stations” steal stealer stealing |
| Tags | Malware Tool Threat General Information |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.