{"id":13912,"date":"2023-03-24T08:57:40","date_gmt":"2023-03-24T08:57:40","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=13912"},"modified":"2023-04-12T03:36:32","modified_gmt":"2023-04-12T03:36:32","slug":"blackguard-update-cryptowallets","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/blackguard-update-cryptowallets\/","title":{"rendered":"BlackGuard Receives Update, Targets More Cryptowallets"},"content":{"rendered":"<p>BlackGuard, a prolific infostealer malware, received an update at the edge of 2023. The new update introduced advanced data-stealing capabilities and secure connectivity features. The new version also includes <strong>a row of new anti-detection and anti-analysis capabilities<\/strong>. Let\u2019s have a more detailed look into this malware and see the difference from all aspects.<\/p>\n<h2>BlackGuard Stealer \u2013 What is it?<\/h2>\n<p>BlackGuard is <strong>a classic infostealer malware, programmed in C#<\/strong>. It aims at grabbing personal data from web browsers, particularly seeking data related to cryptocurrency wallets. It first appeared in 2021, being promoted <a href=\"https:\/\/gridinsoft.com\/darknet\">both on Darknet forums<\/a> and in a dedicated Telegram community. A <strong>lifetime subscription for this malware costs $700<\/strong>, while a monthly subscription is available for $200. Its promotion campaign saw a major boost in 2022, when <a href=\"https:\/\/gridinsoft.com\/spyware\/raccoon-stealer\">its competitor Raccoon<\/a> went for a hiatus.<\/p>\n<p>From its beginning, BlackGuard was <a href=\"https:\/\/howtofix.guide\/blackguard-stealer-malware\/\" target=\"_blank\" rel=\"noopener nofollow\">aiming precisely at stealing crypto credentials<\/a>, and this remained its bearing point in further updates. November 2022 patch brought <strong>overall improvements to the way malware gathers cryptocurrency-related data<\/strong>, but also introduces the ability to load other malware, i.e. <a href=\"https:\/\/gridinsoft.com\/dropper\">act as a dropper<\/a>. Patch notes published in the Telegram community contain information about a pack of other changes, mostly related to C2 connectivity.<\/p>\n<figure id=\"attachment_13919\" aria-describedby=\"caption-attachment-13919\" style=\"width: 1240px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/blackguard-tg-ad.webp\" alt=\"BlackGuard Telegram\" width=\"1240\" height=\"1001\" class=\"size-full wp-image-13919\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/blackguard-tg-ad.webp 1240w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/blackguard-tg-ad-300x242.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/blackguard-tg-ad-1024x827.webp 1024w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/blackguard-tg-ad-768x620.webp 768w\" sizes=\"auto, (max-width: 1240px) 100vw, 1240px\" \/><figcaption id=\"caption-attachment-13919\" class=\"wp-caption-text\">Telegram post that promotes updated BlackGuard version<\/figcaption><\/figure>\n<h2>Anti-analysis tactics<\/h2>\n<p>First notable thing about BlackGuard malware is its anti-analysis measures. BlackGuard typically arrives at a target device in an encrypted form. The encryption is done by a tool embedded <a href=\"https:\/\/gridinsoft.com\/command-and-control\">into the admin panel<\/a> of the malware. Additionally, its code is obfuscated in a pretty specific manner: <strong>base64-encoded strings are getting decoded only during the runtime<\/strong>. But even before the decoding, the strings are represented as an array of bytes \u2013 a completely unreadable one. Such a practice appears to be pretty effective against anti-malware programs that try to analyze the strings.<\/p>\n<p>Malware also checks the computer name, <strong>seeking a match with the hardcoded list it brings among its code rows<\/strong>. These are the names typically applied to virtual machines or live systems used in virus analysis. If the one is detected, BlackGuard will cease any further execution. Debugging, however, also receives its treatment \u2013 malware can block any inputs if it detects the activity of a debug tool. Typically for all malware developed in Russia and ex-USSR countries, <strong>, this stealer refuses to run in ex-USSR countries<\/strong>.<\/p>\n<figure id=\"attachment_13920\" aria-describedby=\"caption-attachment-13920\" style=\"width: 617px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/antianalysis.png\" alt=\"Antianalysis BlackGuard\" width=\"617\" height=\"600\" class=\"size-full wp-image-13920\" title=\"\"><figcaption id=\"caption-attachment-13920\" class=\"wp-caption-text\">List of usernames which are not acceptable for BlackGuard<\/figcaption><\/figure>\n<h2>Data stealing<\/h2>\n<p>Once all the checkups are passed, the malware starts its main course \u2013 credentials stealing. As I mentioned above, BlackGuard\u2019s primary target is login information contained in web browsers, and one related to cryptocurrency wallets both as a browser extension and desktop application. It <strong>seeks the AppData\/Local folder<\/strong> for the directories that belong to web browsers and applications. All the gathered data is located to a folder where malware is launched (usually <em><strong>Users\/Temp<\/strong><\/em>). Before sending to a command server, malware packs that data into a protected .zip archive. It brings the password among its code rows.<\/p>\n<figure id=\"attachment_13924\" aria-describedby=\"caption-attachment-13924\" style=\"width: 1400px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/data-blackguard.webp\" alt=\"BlackGuard stolen data\" width=\"1100\" height=\"1199\" class=\"size-full wp-image-13924\" title=\"\"><figcaption id=\"caption-attachment-13924\" class=\"wp-caption-text\">Folders with collected data<\/figcaption><\/figure>\n<h3>List of web browsers attacked by BlackGuard<\/h3>\n<table style=\"font-size:12px\">\n<tr>\n<td>Chrome<\/td>\n<td>Opera<\/td>\n<td>Firefox<\/td>\n<td>Edge<\/td>\n<td>Iridium<\/td>\n<td>7Star<\/td>\n<\/tr>\n<tr>\n<td>CentBrowser<\/td>\n<td>Chedot<\/td>\n<td>Vivaldi<\/td>\n<td>Kometa<\/td>\n<td>Elements Browser<\/td>\n<td>Epic Privacy Browser<\/td>\n<\/tr>\n<tr>\n<td>Sputnik<\/td>\n<td>Nichrome<\/td>\n<td>K-Meleon<\/td>\n<td>Uran<\/td>\n<td>liebao<\/td>\n<td>CocCoc<\/td>\n<\/tr>\n<tr>\n<td>MapleStudio<\/td>\n<td>BraveSoftware<\/td>\n<td>Chromodo<\/td>\n<td>uCozMedia<\/td>\n<td>QIPSurf<\/td>\n<td>Orbitum<\/td>\n<\/tr>\n<tr>\n<td>Comodo<\/td>\n<td>Coowon<\/td>\n<td>Amigo<\/td>\n<td>Torch<\/td>\n<td>Comodo<\/td>\n<td>360Browser<\/td>\n<\/tr>\n<\/table>\n<h4>Crypto wallets attacked by BlackGuard<\/h4>\n<h5>Desktop applications<\/h5>\n<table style=\"font-size:12px\">\n<tr>\n<td>AtomicWallet<\/td>\n<td>AtomicDEX<\/td>\n<td>Exodus<\/td>\n<td>LitecoinCore<\/td>\n<td>Monero<\/td>\n<td>Jaxx<\/td>\n<\/tr>\n<tr>\n<td>Zcash<\/td>\n<td>BitcoinCore<\/td>\n<td>DashCore<\/td>\n<td>Electrum<\/td>\n<td>Ethereum<\/td>\n<td>Solar<\/td>\n<\/tr>\n<tr>\n<td>Wassabi<\/td>\n<td>TokenPocket<\/td>\n<td>Frame<\/td>\n<td>Zap<\/td>\n<td>Binance<\/td>\n<td>Coinbase<\/td>\n<\/tr>\n<\/table>\n<h5>Browser extensions<\/h5>\n<table style=\"font-size:12px\">\n<tr>\n<td>Binance<\/td>\n<td>KEPLR<\/td>\n<td>coin98<\/td>\n<td>Mobox<\/td>\n<td>Metamask<\/td>\n<td>Phantom<\/td>\n<\/tr>\n<tr>\n<td>BitApp<\/td>\n<td>Starcoin<\/td>\n<td>Slope Wallet<\/td>\n<td>Finnie<\/td>\n<td>Guildwallet<\/td>\n<td>iconx<\/td>\n<\/tr>\n<tr>\n<td>Swash<\/td>\n<td>Crocobit<\/td>\n<td>XinPay<\/td>\n<td>Sollet<\/td>\n<td>Auvitas wallet<\/td>\n<td>Math wallet<\/td>\n<\/tr>\n<tr>\n<td>Yoroi wallet<\/td>\n<td>Ronin wallet<\/td>\n<td>MTV wallet<\/td>\n<td>Rabet wallet<\/td>\n<td>ZilPay wallet<\/td>\n<td>Terra Station<\/td>\n<\/tr>\n<tr>\n<td>Nifty<\/td>\n<td>Jaxx<\/td>\n<td>Liquality<\/td>\n<td>Math10<\/td>\n<td>Exodus<\/td>\n<td>OXYGEN<\/td>\n<\/tr>\n<\/table>\n<h4>Other application<\/h4>\n<p>Additionally, BlackGuard is capable of collecting credentials <strong>from a row of VPN clients and FTP\/SFTP utilities<\/strong>, desktop messenger apps, and Microsoft Outlook. Particularly, it grabs credentials from configuration files of <strong>NordVPN, OpenVPN and ProtonVPN<\/strong>. Steam and Discord are hacked in a similar manner, while <strong>Tox, Signal, Pidgin, Telegram and Element<\/strong> are getting all the conversation collected.<\/p>\n<h2>How to protect yourself?<\/h2>\n<p>There is <strong>only one consistent spreading method used by threat actors<\/strong> who operate BlackGuard \u2013 email spam. The latter, however, will likely <a href=\"https:\/\/gridinsoft.com\/blogs\/phishing\/\">have a form of spear phishing<\/a>, that tries to resemble genuine mailing or even messages that its victim is waiting for. Most of the time, crooks <a href=\"https:\/\/gridinsoft.com\/osint\">gather information using OSINT<\/a> about their victims for some time before sending messages.<\/p>\n<p>The exact message contains an attached file, <a href=\"https:\/\/gridinsoft.com\/blogs\/microsoft-email-scam\/\">commonly an MS Office document<\/a>. However, any file that can carry executable contents may be used. Office files gained popularity as <a href=\"https:\/\/gridinsoft.com\/macro-attack\">VBS macro scripts<\/a> they can carry is ignored by the vast majority of anti-malware software. Launching the file makes the script run: it contacts the command server, downloads the payload, and runs it. This obscenely simple scheme <strong>was disrupted by the introduction of Mark-of-the-Web<\/strong>. Using the latter, Microsoft marks potentially risky files, calling additional attention to anti-malware programs. Still, that feature is present only in the latest Windows versions, and as it usually happens, users do not haste to install it.<\/p>\n<p>Another piece of advice to follow is to <strong>use anti-malware programs<\/strong>. Hackers do their best to make you believe the spam email or banner online. For that reason, it is better to exclude the human factor by using an automated solution that will not be fooled. But to be sure that such a sneaky thing as BlackGuard will not slip through, it is important for the security tool to have multi-layer protection. <strong>GridinSoft Anti-Malware can offer this to you<\/strong> \u2013 the program features a \u201cclassic\u201d database-backed scanning, as well as <a href=\"https:\/\/gridinsoft.com\/blogs\/reasons-gridinsoft-anti-malware\/\">a heuristic engine and AI-based detection system<\/a>. All of them together create a reliable shield even against the most modern \u2013 and potent \u2013 threats.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env01.webp\" alt=\"BlackGuard Receives Update, Targets More Cryptowallets\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>BlackGuard, a prolific infostealer malware, received an update at the edge of 2023. The new update introduced advanced data-stealing capabilities and secure connectivity features. The new version also includes a row of new anti-detection and anti-analysis capabilities. Let\u2019s have a more detailed look into this malware and see the difference from all aspects. BlackGuard Stealer [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":13934,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15,17],"tags":[788,28,670],"class_list":{"0":"post-13912","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"category-labs","9":"tag-cybercrime","10":"tag-malware","11":"tag-threats"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/03\/GS_Blog_banner_BlackGuard-Receives-New-Functions-In-The-Update_1280x674.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/13912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=13912"}],"version-history":[{"count":20,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/13912\/revisions"}],"predecessor-version":[{"id":14155,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/13912\/revisions\/14155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/13934"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=13912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=13912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=13912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}