{"id":13704,"date":"2023-03-09T18:51:43","date_gmt":"2023-03-09T18:51:43","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=13704"},"modified":"2023-03-09T18:53:30","modified_gmt":"2023-03-09T18:53:30","slug":"imbetter-information-stealer","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/imbetter-information-stealer\/","title":{"rendered":"ImBetter: New Information Stealer Spotted Targeting Cryptocurrency Users"},"content":{"rendered":"

<\/p>\n

Today, phishing sites are commonplace. But unfortunately, this seemingly old, deceptive tactic, which everyone seemed to have figured out long ago, still brings enormous profits to scammers today. The problem is that while Internet users are becoming more cautious, cyber scammers are developing more sophisticated ways to trick them. One such method is ImBetter malware. The authors of such malware use sophisticated techniques when creating their phishing websites to make them appear legitimate and appealing to users<\/strong>.<\/p>\n

What is ImBetter malware?<\/h2>\n

ImBetter Stealer is the name of malware<\/a> whose mission, as its name suggests, is to steal information. Not so long ago, researchers came across some phishing websites that targeted Windows users. These websites imitate popular crypto wallets and online file converters. However, instead of its purported function, they trick users<\/strong> into downloading the “ImBetter Stealer” malware. This malware targets sensitive data such as cryptocurrency wallets, browser credentials, and session cookies. In addition, it can take screenshots of the system and send them to the C&C server.<\/p>\n

ImBetter Malware Spreading<\/h2>\n

Researchers discovered that the main channel for spreading ImBetter are malicious sites masquerading as well-known legit<\/a> cryptocurrency sites, such as MetaMask, etc., and online file format converters. Nevertheless, experts do not rule out that ImBetter also uses other distribution methods, such as phishing and social engineering<\/a>. In some cases, this malware is getting bundled with pirated software or is supplied instead of it<\/strong>. In turn, sites that distribute pirated programs are promoted via spam mailings, search engine poisoning<\/a>, malicious browser pop-ups, etc.<\/p>\n

\"Fake
Fake Metamask page that spreads ImBetter malware<\/figcaption><\/figure>\n

However, the infection process only begins when a visitor interacts with the website by clicking on a specific content<\/strong>. The ImBetter Stealer malware binary is a 32-bit GUI-based executable file. Immediately after starting the execution, the malware obtains language and region data for the system. If the malware detects Russian, Moldova, Belarusian, Bashkir, Tatar, Kazakh, or Yakut region\/languages<\/strong> after checking the LCID code of the infected system, it would stop further execution. This clearly hints at the virus’s origin and indicates that the attackers are Russian-speaking.<\/p>\n

ImBetter Data Stealing<\/h2>\n

Suppose the system victim does not belong to any of the above regions. In that case, ImBetter takes a screenshot of the infected system\u2019s desktop and saves it to the C:\\Users\\Public<\/strong> folder with the image name “Scr-urtydcfgads.png<\/strong>“. The malware will then send this screenshot to attackers on the C&C server<\/a>. ImBetter then creates a socket connection to the C&C IP address, after which it can obtain the hardware ID, CPU, GPU, and system memory size<\/strong>, as well as screen and name information from the infected system. Each type of system information is saved separately as a string of key-value pairs in memory and then encoded in Base64 format and sent to the C&C server.<\/p>\n

Following system information, the malware checks for the presence of Chromium-based web browsers<\/a> installed in the system. ImBetter is interested in the following web browsers:<\/p>\n

\n
\n