A new credential-stealing botnet, dubbed Zaraza bot, is being promoted on a popular Russian Telegram channel. It is capable of stealing sensitive information, including credentials from 38 popular web browsers. Moreover, it abuses Telegram to bypass security systems.

What does Zaraza bot steal?

The Uptycs research team has disclosed that Zaraza bot scans the infected machine for a list of 38 different browsers, including Microsoft Edge, Google Chrome, Brave, Opera, Yandex, Vivaldi, and AVG Browser. 
  • It exfiltrates credentials for email accounts, cryptocurrency wallets, bank accounts, and other financial websites.
  • It targets specific databases and files within the browser to steal credentials. If the credentials are stored in an encrypted format, Zaraza decrypts them before stealing.

Attack tactics

Zaraza bot is a lightweight malware with just a 64-bit binary file. Some codes and logs are written in Russian.
  • Although researchers were not able to trace the exact propagation method, they believe it leverages social engineering or malvertising for distribution.
  • Upon infection, it scans the system to exfiltrate sensitive data and saves it in a text file. Additionally, it takes screenshots of the active window and saves them in a JPG file.
  • The exfiltrated data is sent back to the attacker-controlled Telegram server.

Some evidence indicates that the Zaraza bot is being offered as a MaaS offering on the dark web, and multiple cybercriminals are using it for a subscription.

Concluding notes

Zaraza bot showcases all the typical characteristics of a credential stealer, including stealing bank account details and crypto wallets and using Telegram to stay below the radar. In the past few months, a few other malware such as S1deload Stealer and  WASP were observed using similar tactics, with the same objectives. As a precaution, users should be wary of the links received over social media and downloading anything from unknown sources.
Cyware Publisher

Publisher

Cyware