Category: 

Malware Intelligence

Type/Family: 

Stealer Malware

Industry: 

Multiple

Region: 

Global

‍

Executive Summary

• On 06 July 2023, CloudSEK’s threat researchers found a web panel of a relatively new Bandit Stealer malware.
• The malware is written in Go programming language.
• We found at least 14 instances of Bandit Stealer web panels which were recently active.
• The malware is being distributed through YouTube videos.
• The stealer collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets. 
• The stealer targets more than 25 cryptocurrency wallets and 17 web browsers.
• The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer. 

‍

Analysis and Attribution

CloudSEK’s contextual AI digital risk platform XVigil has discovered a post mentioning Bandit Stealer malware on a Russian-speaking underground forum where a threat actor vouched for it.

‍

CloudSEK researchers recently discovered at least 14 IP addresses serving the Bandit Stealer web panel, most of which went down in a span of 24 hours. All of these IP addresses were running on port 8080.

‍

‍

Bandit Web Panel Analysis

Our source identified a few website endpoints that allowed access to the website’s internal system without entering the credentials due to a misconfiguration on the website.

‍

Nothing particularly significant can be noted on the dashboard except a menu for options such as Builder and Results.

‍

The Builder page shows the options for building a customized version of Bandit Stealer malware. And, in the stealer operation, threat actors utilize key elements to carry out their activities:

• Communication Channel: ChatID, Bot Token, and Server IP are utilized to establish a secure connection with Telegram. This connection enables the threat actors to receive exfiltrated data from infected users, such as compromised credentials and screenshots.
• Cryptocurrency Wallet Addresses: Various cryptocurrency wallet addresses are employed to transfer cryptocurrency amounts to the threat actor’s wallet.
• Loader URL: The Loader URL serves as a mechanism for distributing the malware. For instance, in malvertising campaigns, a hidden JavaScript code operates in the background and is responsible for dropping the executable malware file onto the victim's system. This URL is a crucial component in the initial infection process.
• FileName: The FileName refers to the name assigned to the executable malware file. This file contains the malicious code responsible for the intended actions, such as data theft and exfiltration.

‍

One of the discovered endpoints was /builds that had all the Bandit Stealer builder that had been generated so far by this particular panel. Our source was able to acquire them for further analysis.

‍

Next, another identified endpoint was /clients with multiple instances of likely exfiltrated data from multiple IP addresses in JSON. In the JSON, the file name consists of the target’s Country Code + Public IP address, followed by size and the exfiltration date and time. While our analysis confirms the data to be sent to the Telegram bot, but we assume the malware likely also keeps a copy of the exfiltrated data in its web panel.

‍

Analysis of Stealer Logs

Our source was able to exfiltrate the stealer logs from their web panel for Analysis. One of the log files was from the test machine with lots of screenshots which they might have used for testing the malware. The screenshot shows the process of anti-reversing tools being killed using Command Prompt. The other screenshot shows the same process using PowerShell. As the malware has screen capture capabilities, it is assumed that the malware have captured these screenshots during the infection (likely on the test machine).

‍

‍

‍

Another screenshot reveals the usages of a Telegram bot in the stealer malware as the C2 communication channel. 

‍

‍

Malware Delivery Mechanism 

The malware is being distributed through YouTube videos which is a commonly seen malware delivery mechanism among threat actors. In our previous report, we highlighted that since November 2022, there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. 

‍

‍

Technical Analysis 

Bandit Stealer, a newly discovered form of information stealer malware, showcases advanced capabilities and evasive techniques. Written in the Go language, it employs various methods to circumvent detection by debugging tools and virtual machine environments, ensuring its covert operations remain undetected.

‍

To avoid analysis and hinder reverse engineering efforts, Bandit Stealer employs clever tactics. It actively checks for the presence of debuggers using techniques like IsDebuggerPresent and CheckRemoteDebuggerPresent. Furthermore, it possesses the ability to detect sandbox environments, swiftly shutting itself down if such environments are detected, thereby eluding analysis attempts. The malware even terminates reverse engineering tools that could potentially interfere with its functionality.

‍

Notably, Bandit Stealer has been observed spreading through YouTube videos to reach mass users.

‍

In order to establish persistence on infected systems, the malware creates an autorun registry entry, named "Bandit Stealer." By doing so, it ensures that the malicious code runs each time the machine is booted up.

‍

‍

O ladrão foi projetado para obter informações valiosas de PCs e usuários. Ele coleta discretamente dados como detalhes do PC e do usuário, capturas de tela, informações de geolocalização e IP, imagens de webcam e dados de navegadores populares, aplicativos de FTP e carteiras digitais. Os dados roubados são então enviados para um bot seguro do Telegram, empacotados em um arquivo ZIP para facilitar a transferência.

‍

O Stealer emprega uma lista negra selecionada obtida de um URL externo, em alguns casos um URL Pastebin, e a armazena em C:\Users\USERNAME\AppData\Roaming\blacklist.txt e o arquivo é excluído quando o ladrão termina a execução. Essa lista negra tem um papel crucial para determinar se o Stealer está sendo executado em um ambiente sandbox/virtual ou em um sistema real. Além disso, ajuda na identificação de processos específicos e na reversão de ferramentas que o Stealer pretende encerrar para impedir qualquer análise potencial ou tentativa de engenharia reversa.

‍

Endereços IP na lista negra:

‍

Endereços Mac na lista negra:

‍

A lista de HWIDs na lista negra:

Usuários e nomes de PC na lista negra:

‍

Rescisão de ferramentas de reversão

De acordo com nossa pesquisa de código aberto, parece que o Bandit Stealer usa uma réplica idêntica do”blacklist.txt“arquivo de um projeto de malware ladrão de código aberto chamado EMPÍREO disponível em Github.

‍

‍

Roubo de informações e comunicação com servidores C2

O Bandit rouba dados do navegador da web que incluem o roubo de informações de login salvas, cookies cruciais, histórico de navegação e detalhes confidenciais de cartão de crédito armazenados no perfil de usuário do navegador.

Aqui está um exemplo de cookies do Firefox capturados pelo Bandit Stealer.

‍

‍

Os dados coletados são então empacotados em um arquivo ZIP e, em seguida, exfiltrados para o servidor C2, que aponta para o servidor Telegram (149,154,167,220).

‍

‍

‍

Impacto

• As credenciais expostas podem ser usadas por agentes de ameaças para acessar as informações pessoais e as redes internas do usuário e roubar arquivos e informações confidenciais.
• As credenciais roubadas podem ser vendidas em fóruns clandestinos, disponibilizando-as ao público, concorrentes e outros agentes de ameaças.
• Os ataques e a exfiltração de informações confidenciais podem levar à perda de dados, receita e reputação da vítima.
  ‍

Indicadores de compromisso (IOCs)

‍

Referências

• https://www.shodan.io/search?query=http.favicon.hash%3A552148505
• https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware 
• Malware Empyrean Stealer: https://github.com/addi00000/empyrean/blob/28add58d1fa7f6523ab8b958e8e4ede764593612/src/components/antidebug.py#L19 

Apêndice

‍

‍

‍