.jpg)
Category:
Malware Intelligence
Type/Family:
Stealer Malware
Industry:
Multiple
Region:
Global
Executive Summary
- On 06 July 2023, CloudSEK’s threat researchers found a web panel of a relatively new Bandit Stealer malware.
- The malware is written in Go programming language.
- We found at least 14 instances of Bandit Stealer web panels which were recently active.
- The malware is being distributed through YouTube videos.
- The stealer collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets.
- The stealer targets more than 25 cryptocurrency wallets and 17 web browsers.
- The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer.
Analysis and Attribution
CloudSEK’s contextual AI digital risk platform XVigil has discovered a post mentioning Bandit Stealer malware on a Russian-speaking underground forum where a threat actor vouched for it.
CloudSEK researchers recently discovered at least 14 IP addresses serving the Bandit Stealer web panel, most of which went down in a span of 24 hours. All of these IP addresses were running on port 8080.
Bandit Web Panel Analysis
Our source identified a few website endpoints that allowed access to the website’s internal system without entering the credentials due to a misconfiguration on the website.
Nothing particularly significant can be noted on the dashboard except a menu for options such as Builder and Results.
The Builder page shows the options for building a customized version of Bandit Stealer malware. And, in the stealer operation, threat actors utilize key elements to carry out their activities:
- Communication Channel: ChatID, Bot Token, and Server IP are utilized to establish a secure connection with Telegram. This connection enables the threat actors to receive exfiltrated data from infected users, such as compromised credentials and screenshots.
- Cryptocurrency Wallet Addresses: Various cryptocurrency wallet addresses are employed to transfer cryptocurrency amounts to the threat actor’s wallet.
- Loader URL: The Loader URL serves as a mechanism for distributing the malware. For instance, in malvertising campaigns, a hidden JavaScript code operates in the background and is responsible for dropping the executable malware file onto the victim's system. This URL is a crucial component in the initial infection process.
- FileName: The FileName refers to the name assigned to the executable malware file. This file contains the malicious code responsible for the intended actions, such as data theft and exfiltration.
One of the discovered endpoints was /builds that had all the Bandit Stealer builder that had been generated so far by this particular panel. Our source was able to acquire them for further analysis.
Next, another identified endpoint was /clients with multiple instances of likely exfiltrated data from multiple IP addresses in JSON. In the JSON, the file name consists of the target’s Country Code + Public IP address, followed by size and the exfiltration date and time. While our analysis confirms the data to be sent to the Telegram bot, but we assume the malware likely also keeps a copy of the exfiltrated data in its web panel.
Analysis of Stealer Logs
Our source was able to exfiltrate the stealer logs from their web panel for Analysis. One of the log files was from the test machine with lots of screenshots which they might have used for testing the malware. The screenshot shows the process of anti-reversing tools being killed using Command Prompt. The other screenshot shows the same process using PowerShell. As the malware has screen capture capabilities, it is assumed that the malware have captured these screenshots during the infection (likely on the test machine).
Another screenshot reveals the usages of a Telegram bot in the stealer malware as the C2 communication channel.
Malware Delivery Mechanism
The malware is being distributed through YouTube videos which is a commonly seen malware delivery mechanism among threat actors. In our previous report, we highlighted that since November 2022, there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions.
Technical Analysis
Bandit Stealer, a newly discovered form of information stealer malware, showcases advanced capabilities and evasive techniques. Written in the Go language, it employs various methods to circumvent detection by debugging tools and virtual machine environments, ensuring its covert operations remain undetected.
To avoid analysis and hinder reverse engineering efforts, Bandit Stealer employs clever tactics. It actively checks for the presence of debuggers using techniques like IsDebuggerPresent and CheckRemoteDebuggerPresent. Furthermore, it possesses the ability to detect sandbox environments, swiftly shutting itself down if such environments are detected, thereby eluding analysis attempts. The malware even terminates reverse engineering tools that could potentially interfere with its functionality.
Notably, Bandit Stealer has been observed spreading through YouTube videos to reach mass users.
In order to establish persistence on infected systems, the malware creates an autorun registry entry, named "Bandit Stealer." By doing so, it ensures that the malicious code runs each time the machine is booted up.
The stealer is designed to obtain valuable information from PCs and users. It discreetly collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets. The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer.
The Stealer employs a curated blacklist obtained from an external URL, in some instances a Pastebin URL, and stores it in C:\Users\USERNAME\AppData\Roaming\blacklist.txt and the file gets deleted once the stealer finishes execution. This blacklist serves a crucial role in determining whether the Stealer is running within a sandbox/virtual environment or on an actual system. Additionally, it aids in identifying specific processes and reversing tools that the Stealer aims to terminate in order to thwart any potential analysis or reverse engineering attempts.
Blacklisted IP Addresses:
Blacklisted Mac Addresses:
The list of blacklisted HWIDs:
Blacklisted PC User and Names:
Reversing Tools Termination
According to our open-source research, it appears that the Bandit Stealer uses an identical replica of the "blacklist.txt" file from an open-source stealer malware project called EMPYREAN available on Github.
Information Stealing & C2 Server Communication
Bandit steals web browser data that includes the theft of saved login information, crucial cookies, browsing history and sensitive credit card details stored within the browser's user profile.
Here is an example of captured Firefox cookies by the Bandit Stealer.
The collected data is then packaged up into a ZIP file and then exfiltrated to the C2 server which points to the Telegram server (149.154.167.220).
Impact
- Exposed credentials can be used by threat actors to access the user’s personal information, internal networks and steal sensitive files and information.
- The stolen credentials can be sold on underground forums, thus making them available to the public, competitors, and other threat actors.
- The attacks and the exfiltration of sensitive information can lead to the victim's loss of data, revenue, and reputation.
Indicators of Compromise (IoCs)
References
- https://www.shodan.io/search?query=http.favicon.hash%3A552148505
- https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware
- Empyrean stealer malware: https://github.com/addi00000/empyrean/blob/28add58d1fa7f6523ab8b958e8e4ede764593612/src/components/antidebug.py#L19
Appendix
