Back to Blog
Coowon browser virus5/4/2023 The newly downloaded malware is injected and executed using the "Process Hollowing" method. "The new variant of BlackGuard downloads and executes additional malware from its command & control. For example, if a USB device is connected to an old version of Windows, the malware will be executed automatically and infect the machine."įurther, the new variant can act like a malware dropper through process injection, with researchers stating, This includes removable and shared devices. Researchers noted, "Although this feature was limited since Windows 7 to be used only for CDROM, the malware copies itself to each available drive with an "autorun.inf" file that points to the malware to execute it automatically. The newer variant is also capable of propagating through removable devices. This is done by tracking any content copied to the clipboard and matching it to different crypto wallets stored in the malware via similarities in the malware regular expressions used to denote what wallet is used for a particular cryptocurrency. New BlackGuard FeaturesĪccording to the new research published by AT&T, BlackGuard is not only capable of stealing information related to crypto wallets stored on the infected machine but can now also steal cryptocurrency addresses copied to a clipboard and replace them with wallet addresses under the attacker's control.Īny cryptocurrencies traded or sent to the hijacked addresses will never reach their intended wallet but that of the attackers. This means that antivirus tools relying on static detection will miss it. Lastly, the malware is packed with a crypter, and all its strings are base64 obfuscated. This does provide a major indicator as to the origin of the malware. If it's running on a system in Russia or any other Commonwealth of Independent States (CIS) country, namely those countries determined to be within Russia's sphere of influence, it will stop and exit. ![]() The malware also checks the victim's IP address. These included the ability to detect any Antivirus software and sandboxes running on the infected machine, then attempt to kill their processes and terminate their operation. Still, several such features had made it into the malware being sold at the time. Other applications: NordVPN, OpenVPN, ProtonVpn, Totalcommander, Filezilla, WinSCP, SteamĪt the time of discovery, researchers discovered that evasion and anti-detection features were still under development.Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord.Cryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi. ![]() Wallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx.Web browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Edge, BraveSoftware.According to Zscaler, the malware will look to steal information from the following software packages and applications: ![]() The malware can steal all types of information related to Crypto wallets, VPNs, Messengers, FTP credentials, saved browser credentials, and email clients.Įven upon the malware's discovery, there was a heavy emphasis on targeting crypto assets and software. Zscaler researchers noted that BlackGuard is currently being sold as malware-as-a-service with a lifetime price of 700 USD and a monthly fee of 200 USD. Zscaler discovered BlackGuard in March 2022, but according to Bleeping Computer, BlackGuard was first mentioned on Russian-speaking underground hacking forums in January 2022. ![]() The malware was initially discovered by researchers based at Zscaler who noted a spike in activity regarding a previously unknown malware strain after Raccoon Stealer suspended operations, citing the Ukraine war and the death of one of the malware's developers to suspend operations. This new variant is actively being distributed in the wild and boosts several new features, including targeting crypto wallets and related cryptocurrency extensions. Security researchers for the major telecommunications company AT&T have discovered a new variant of BlackGuard, a new info stealer that is gaining popularity with threat actors using underground hacking forums.
0 Comments
Read More
Leave a Reply. |