A sophisticated information stealer dubbed BlackGuard is gaining the attention of the cybercrime community. The malware is advertised for sale on multiple Russian hacking forums with a lifetime price of $700 or a subscription of $200 per month.
This low value and ease of access may permit a thrifty menace actor to loot hundreds of cryptocurrency wallets, financial institution accounts, and much with little to no work, researchers at Zscaler who spotted and analyzed the malware explained.
The malware was first spotted on Russian-language hack forums in January 2022, but then it was distributed privately and was at the testing stage. As with all modern information-stealers, BlackGuard exfiltrates information from almost any application that processes sensitive user data, with a focus on crypto assets. In an infected system, BlackGuard looks for the following applications to steal user data from them:
- Web browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo.
- Wallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx
- Cryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi
- Email: Outlook
- Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord
The gathered information is bundled in a ZIP file, also known as logs, and is sent to the attackers’ C&C server via a POST request, along with a system profile report that assigns a unique identifier to the victim’s equipment.
In terms of bypassing BlackGuard’s capabilities are still under development, but some systems are already in place to avoid detection and analysis. First, the malware is packed with a crypter, and the code is obfuscated using base64. Finally, it will inspect the operating system’s processes and try to block any actions linked to antivirus software or sandboxing once it landed on a vulnerable workstation.
How to avoid the installation of malware?
To mitigate the risks, you must avoid visiting shady websites and downloading files from untrustworthy or dubious sources. Furthermore, use two-factor authentication, keep your OS and applications updated, and use strong and unique passwords for all your online accounts. If you believe that your computer is already compromised, researchers recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.