A new information-stealing malware, called Bandit Stealer, has picked the attention of cybercriminals and security researchers owing to its capabilities. It can target several popular web browsers, browser extensions associated with cryptocurrency wallets, and cryptocurrency wallet applications while evading detection or analysis.
Stealer for a reason
According to Trend Micro, Bandit Stealer focuses its attacks on Windows users. Though its Go-language codebase allows a quick transition to other platforms as well. - Bandit Stealer steals the details regarding Telegram sessions and leverages it to read private messages or steal other sensitive details from the compromised account.
- It steals login details, credit card details, web history, and cookies from popular web browsers including Google Chrome, Iridium, Amigo, and Microsoft Edge.
- It further scans for specific browser extensions associated with cryptocurrency wallets, such as Clover Wallet, Trust Wallet, TronLink, and BitKeep.
- Bandit Stealer can target a list of cryptocurrencies, including Bitcoin, Litecoin, Ethereum, Electrum, Dash, Exodus, and Atomic.
Before proceeding with its malicious activities, the malware checks for a sandbox environment. It can scan through Virtual Machines, VirtualBox, VMware, container, KVM, QEMU, jail, and Xen.
Delivery methods
Bandit Stealer is delivered to the targeted user’s machine possibly via phishing emails or inadvertent downloads from malicious websites. It is installed and executed in three different ways: - The dropper, which is a self-extracting archive, runs the file hot[.]exe. It performs anti-analysis checks and then opens a seemingly harmless Word document on the infected machine to deceive users, while the malicious part proceeds as usual.
- Alternatively, another self-extractive archive executes the file RUNFIRST[.]exe. Once the malware performs its anti-analysis checks, it opens a non-malicious executable file openvpn-gui[.]exe.
- Thirdly, when the self-extractive archive is executed, it prompts a message about the installation of the genuine application Heartsender. This fake installer drops and executes the file Lowkey[.]exe, which is actually Bandit Stealer.
Concluding words
Equipped with stealth and several other capabilities, Bandit Stealer turns out to be a full-fledged stealer for Windows OS. Moreover, the choice of Go-language further indicates that its developers may be planning to further enhance this malware to target other OS platforms. To protect sensitive data from such info-stealers, experts recommend implementing strong security controls with multi-layered visibility into the security infrastrcuture.