AT&T Alien Labs researchers have found a brand new variant of BlackGuard stealer within the wild, infecting utilizing spear phishing assaults. The malware developed since its earlier variant and now arrives with new capabilities.
Key takeaways:
- BlackGuard steals person delicate data from a variety of functions and browsers.
- The malware can hijack crypto wallets copied to clipboard.
- The brand new variant is making an attempt to propagate by detachable media and shared units.
Background
BlackGuard stealer is malware as a service bought in underground boards and Telegram since 2021, when a Russian person posted details about a brand new malware referred to as BlackGuard. It was supplied for $700 lifetime or $200 month-to-month, claiming it could gather data from a variety of functions and browsers.
In November 2022, an replace for BlackGuard was introduced in Telegram by its developer. Together with the brand new options, the malware writer suggests free assist with putting in the command & management panel (Determine 1)
Determine 1. Announcement of latest malware model in its Telegram channel.
Evaluation
When executed, BlackGuard first checks if one other occasion is operating by making a Mutex.
Then to make sure it’ll survive a system reboot, the malware provides itself to the “Run” registry key. The malware additionally checks if it is operating in debugger mode by checking TickCount and checking if the present person belongs to a particular record to find out whether or not it’s operating in a malware sandbox surroundings. (Determine 2)
Determine 2. Malware will keep away from execution if operating beneath particular person names.
Now all is prepared for stealing the person’s delicate knowledge. It collects all stolen data in a folder the place every bit of information is saved in a particular folder, equivalent to Browsers, Information, Telegram, and many others. (Determine 3)
Determine 3. BlackGuard important folder with stolen knowledge divided into folders.
When it finishes gathering delicate knowledge, the malware will zip the primary folder utilizing the password “xNET3301LIVE” and ship it to its command & management. (Determine 4)
Determine 4. Zipping exfiltrated knowledge with password and importing to command & management.
Browser stealth
Together with gathering cookies, historical past and downloads of various browsers, BlackGuard additionally seems to be for the existence of particular recordsdata and folders of various browsers. (This contains “Login Information”, AutoFill, Historical past and Downloads. (Determine 5)
Determine 5. Gathering browser data.
Beneath is the record of browsers BlackGuard is on the lookout for:
|
Chromium |
Chrome |
ChromePlus |
|
Iridium |
7Star |
CentBrowser |
|
Chedot |
Vivaldi |
Kometa |
|
Components Browser |
Epic Privateness Browser |
uCozMedia |
|
Sleipnir5 |
Citrio |
Coowon |
|
liebao |
QIP Surf |
Orbitum |
|
Comodo Dragon |
Amigo |
Torch |
|
Comodo |
360Browser |
Maxthon3 |
|
Ok-Melon |
Sputnik |
Nichrome |
|
CocCoc |
Uran |
Chromodo |
|
Opera |
Courageous-Browser |
Edge |
|
Edge Beta |
OperaGX |
CryptoTab browser |
As well as, the malware steals Chrome, Edge, and Edge Beta browsers’ crypto foreign money addons knowledge. It helps the addons listed under by on the lookout for their hardcoded set up folder path in “MicrosoftEdgeUser DataDefaultLocal Extension Settings”. For instance, the particular folder for “Terra Stations” is “ajkhoeiiokighlmdnlakpjfoobnjinie”. BlackGuard seems to be for Edge/EdgeBeta addons listed under:
|
Auvitas |
Math |
Metamask |
|
MTV |
Rabet |
Ronin |
|
Yoroi |
Zilpay |
Exodus |
|
Terra Station |
Jaxx |
|
For Chrome it seems to be for these addons:
|
Binance |
Bitapp |
Coin98 |
|
Equal |
Guild |
Iconex |
|
Math |
Mobox |
Phantom |
|
Tron |
XinPay |
Ton |
|
Metamask |
Sollet |
Slope |
|
Starcoin |
Swash |
Finnie |
|
Keplr |
Crocobit |
Oxygen |
|
Nifty |
Keplr |
Forbole X |
|
Slope Pockets |
Nabox Pockets |
ONTO Pockets |
|
Goby |
FINX |
Ale |
|
Sender Pockets |
Leap Pockets |
Infinity Pockets |
|
Zecrey |
Maiar Pockets |
Flint Pockets |
|
Liquality |
|
|
Cryptocurrency
The malware additionally steals cryptocurrency wallets. It copies the pockets listing for every of the next crypto wallets under and sends them to its command & management.
|
Zcash |
Armory |
Jaxx Liberty |
|
Exodus |
Ethereum |
Electrum |
|
Atomic |
Guarda |
Zap |
|
Binance |
Atomic |
Body |
|
Photo voltaic pockets |
Token Pocket |
Infinity |
It can additionally question the registry for the set up path of “Sprint” and “Litecoin” keys and do the identical.
Messaging and gaming functions:
BlackGuard helps the stealing of a variety of messaging functions. For among the functions equivalent to Telegram, Discord and Pidgin, the malware has a particular handler for every. For instance, for Discord, it copies all knowledge for the next folders within the Utility Information folder which saved the Discord tokens: “DiscordLocal Storageleveldb”, “Discord PTBLocal Storageleveldb”, “Discord Canaryleveldb”. As well as, it copies all strings in recordsdata with the extension of “.txt” and “.ldb” in the event that they match Discord’s token common expression. (Determine 6)
Determine 6. Stealing Discord’s tokens and knowledge.
Beneath is the record of messaging functions the malware trying to steal delicate data from:
|
Discord |
Telegram |
Tox |
|
Aspect |
Miranda NG |
Sign |
|
Adamant-IM |
Wire |
|
|
Vipole |
Proxifier |
Steam |
|
Pdgin |
Battlet internet |
|
Outlook, FTP, VPN, and different functions
BlackGuard steals login knowledge and different delicate data from further communication applications. For e-mail functions, the malware queries particular Outlook registry keys beneath the CURRENT_USER hive to extract person, password and server data. (Determine 7)
Determine 7. Exfiltration of Outlook saved data.
The malware additionally handles totally different FTP and VPN functions to extract saved customers and passwords. For instance, for NordVPN, the malware will search the applying’s folder and if discovered, it parses all person.config recordsdata to extract the customers and passwords. (Determine 8)
Determine 8. Exfiltrating NordVPN data.
Along with Outlook and NordVPN, BlackGuard additionally steals data from WinSCP, FileZilla, OpenVPN, ProtonVPN and Whole Commander.
Different knowledge collected
Moreover, the malware additionally collects data from the machine equivalent to anti-virus software program put in on the machine, exterior IP deal with, localization, file system data, OS and extra.
New BlackGuard options
Crypto pockets hijacking
Along with stealing crypto wallets saved/put in on the contaminated machine, BlackGuard is hijacking cryptocurrency addresses copied to clipboard (equivalent to CTRL+C) and changing them with the risk actor’s deal with. This could trigger a sufferer to ship crypto property to the attacker with out noticing it when making an attempt to switch/pay to different wallets. That is accomplished by monitoring any content material copied to the clipboard and matching it to relative totally different crypto wallets’ regex. (Determine 9)
Determine 9. Particular regex to go looking in clipboard for listed cash.
As soon as there’s a match, the malware will question its command and management for the choice pockets and exchange it within the clipboard as an alternative of the one which was copied by the person. The malware helps stealing the favored crypto property under:
|
BTC (Bitcoin) |
ETH (Ethereum) |
XMR (Monero) |
|
XLM (Stellar) |
XRP (Ripple) |
LTC (Litecoin) |
|
NEC (Nectar) |
BCH (Bitcoin Money) |
DASH |
Propagate by shared / detachable units
Though this function was restricted since Home windows 7 for use just for CDROM, the malware copies itself to every accessible drive with an “autorun.inf” file that factors to the malware to execute it robotically. This contains detachable and shared units. For instance, if a USB system is related to an outdated model of Home windows, the malware shall be executed robotically and infect the machine. (Determine 10)
Determine 10. Propagate to all accessible drives.
Obtain and execute further malware with course of injection
The brand new variant of BlackGuard downloads and executes further malware from its command & management. The newly downloaded malware is injected and executed utilizing the “Course of Hollowing” technique. With that the malware shall be operating beneath authentic/whitelisted processes and may make extra detection harder. (Determine 11)
Determine 11. Obtain and execute further malware utilizing course of injection.
The focused course of is RuntimeDirectory folder, RegASM.exe (C:WindowsMicrosoft.NETFramework64runtime_versionRegAsm.exe)
Large malware duplication
The malware copies itself to each folder in C: drive recursively, every folder the malware generates a random identify to be copied to. This function just isn’t widespread for malware, and that is largely annoying, because the malware good points no benefit from that.
Persistence
The malware added persistence to outlive system reboot by including itself beneath the “Run” registry key. (Determine 12)
Determine 12. Setting registry persistence.
Paperwork – stealth exercise
The malware searches and sends to its command and management all paperwork finish with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” within the person folders (together with sub directories): “Desktop”, “My Paperwork”, UserProfile folder.
Detection strategies
The next related detection strategies are in use by Alien Labs. They can be utilized by readers to tune or deploy detections in their very own environments or for aiding further analysis.
|
SURICATA IDS SIGNATURES |
|
2035716: ET TROJAN BlackGuard_v2 Information Exfiltration Noticed |
|
2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Exercise |
Related indicators (IOCs)
The next technical indicators are related to the reported intelligence. A listing of indicators can be accessible within the OTX Pulse. Please word, the heart beat could embody different actions associated however out of the scope of the report.
|
TYPE |
INDICATOR |
DESCRIPTION |
|
IP ADDRESS |
http://23[.]83.114.131 |
Malware command & management |
|
SHA256 |
88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3 |
Malware hash |
Mapped to MITRE ATT&CK
The findings of this report are mapped to the next MITRE ATT&CK Matrix strategies:
- TA0001: Preliminary Entry
- T1091: Replication Via Detachable Media
- TA0002: Execution
- T1106: Native API
- T1047: Home windows Administration Instrumentation
- TA0003: Persistence
- T1547.001: Registry Run Keys / Startup Folder
- TA0005: Protection Evasion
- T1027: Obfuscated Information or Info
- TA0006: Credential Entry
- T1003: OS Credential Dumping
- T1539: Steal Net Session Cookie
- T1528: Steal Utility Entry Token
- T1552: Unsecured Credentials
- .001: Credentials In Information
- .002: Credentials In Information
- TA0007: Discovery
- T1010: Utility Window Discovery
- T1622: Debugger Evasion
- T1083: File and Listing Discovery
- T1057: Course of Discovery
- T1012: Question Registry
- T1082: System Info Discovery
- T1497: Virtualization/Sandbox Evasion
- TA0008: Lateral Motion
- T1091: Replication Via Detachable Media
- TA0009: Assortment
- T1115: Clipboard Information
- T1213: Information from Info Repositories
- T1005: Information from Native System
- TA0011: Command and Management
- T1071: Utility Layer Protocol
- T1105: Ingress Software Switch
- TA0010: Exfiltration
- T1020: Automated Exfiltration