A sophisticated and stealthy information-stealing malware called Bandit Stealer has recently emerged, posing a significant threat to web browsers and cryptocurrency wallets. Trend Micro, a leading cybersecurity company, highlighted the malware’s capability to potentially expand to other platforms due to its development using the Go programming language.
Currently, Bandit Stealer primarily focuses on Windows systems, leveraging a legitimate command-line tool called runas.exe to execute programs with escalated privileges and bypass security measures. This enables the malware to collect vast amounts of data without detection.
Despite Microsoft’s access control mitigations to prevent unauthorized execution, the malware attempts to run as an administrator by obtaining the necessary credentials. The runas.exe command allows users to run programs with elevated privileges, ensuring a secure environment for critical applications and system-level tasks.
To evade detection, Bandit Stealer incorporates sandbox and virtual environment checks, terminating specific processes blacklisted by the malware. It establishes persistence by modifying the Windows Registry before engaging in data collection activities, including harvesting personal and financial information stored in web browsers and cryptocurrency wallets.
Distribution of Bandit Stealer occurs through phishing emails containing a dropper file. This file opens a seemingly harmless Microsoft Word attachment as a distraction while the malware silently infects the system. Trend Micro also identified a fake installer of Heart Sender, a service used for sending spam emails and SMS messages, as a method to trick users into launching the embedded malware.
In a separate discovery, Trend Micro uncovered a Rust-based information-stealing malware targeting Windows systems. This malware exploits a GitHub Codespaces webhook controlled by the attacker to exfiltrate web browser credentials, credit card details, cryptocurrency wallets, and Steam and Discord tokens. Uncommonly, the malware achieves persistence by injecting JavaScript code into the installed Discord client to capture information.
These findings coincide with the emergence of various strains of commodity stealer malware, including Luca, StrelaStealer, DarkCloud, Whitesnake, and Invicta Stealer. Some of these malware variants propagate through spam emails and counterfeit versions of popular software. Additionally, cybercriminals have employed compromised YouTube channels with millions of subscribers to advertise cracked software.
The stolen data obtained by information-stealing malware serves various malicious purposes, such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeovers. In some cases, the stolen information is sold to other threat actors, enabling subsequent targeted campaigns, ransomware attacks, or extortion attempts.
These developments underscore the evolving nature of information-stealing malware, particularly as the malware-as-a-service (MaaS) market makes these tools more accessible to aspiring cyber criminals. SecureWorks Counter Threat Unit (CTU) data reveals a thriving info stealer market, with a 670% increase in stolen logs on underground forums like Russian Market between June 2021 and May 2023.
Law enforcement actions have prompted threat actors to shift their operations to platforms like Telegram, causing fluctuations in the MaaS ecosystem. The underground economy surrounding info stealers has enabled even low-skilled threat actors to participate, posing challenges for law enforcement efforts to combat cybercrime effectively.
Don Smith, Vice President of SecureWorks CTU, acknowledged the impact of global law enforcement actions but emphasized the adaptability of cybercriminals in reshaping their methods of operation.