BlackGuard stealer extends its capabilities in new variant

AT&T Alien Labs researchers have found a brand new variant of BlackGuard stealer within the wild, infecting utilizing spear phishing assaults. The malware developed since its earlier variant and now arrives with new capabilities.

Key takeaways:

• BlackGuard steals consumer delicate data from a variety of purposes and browsers.
• The malware can hijack crypto wallets copied to clipboard.
• The brand new variant is attempting to propagate by way of detachable media and shared units.

Background

BlackGuard stealer is malware as a service bought in underground boards and Telegram since 2021, when a Russian consumer posted details about a brand new malware referred to as BlackGuard. It was provided for $700 lifetime or $200 month-to-month, claiming it may well accumulate data from a variety of purposes and browsers.

In November 2022, an replace for BlackGuard was introduced in Telegram by its developer. Together with the brand new options, the malware creator suggests free assist with putting in the command & management panel (Determine 1)

Determine 1. Announcement of recent malware model in its Telegram channel.

Evaluation

When executed, BlackGuard first checks if one other occasion is operating by making a Mutex.

Then to make sure it should survive a system reboot, the malware provides itself to the “Run” registry key. The malware additionally checks if it is operating in debugger mode by checking TickCount and checking if the present consumer belongs to a selected listing to find out whether or not it’s operating in a malware sandbox setting. (Determine 2)

Determine 2. Malware will keep away from execution if operating below particular consumer names.

Now all is prepared for stealing the consumer’s delicate information. It collects all stolen data in a folder the place every bit of knowledge is saved in a selected folder, equivalent to Browsers, Recordsdata, Telegram, and so forth. (Determine 3)

Determine 3. BlackGuard important folder with stolen information divided into folders.

When it finishes gathering delicate information, the malware will zip the principle folder utilizing the password “xNET3301LIVE” and ship it to its command & management. (Determine 4)

Determine 4. Zipping exfiltrated information with password and importing to command & management.

Browser stealth

Together with gathering cookies, historical past and downloads of various browsers, BlackGuard additionally seems to be for the existence of particular recordsdata and folders of various browsers. (This consists of “Login Information”, AutoFill, Historical past and Downloads. (Determine 5)

Determine 5. Gathering browser data.

Beneath is the listing of browsers BlackGuard is in search of:

As well as, the malware steals Chrome, Edge, and Edge Beta browsers’ crypto forex addons information. It helps the addons listed under by in search of their hardcoded set up folder path in “MicrosoftEdgeUser DataDefaultLocal Extension Settings”. For instance, the particular folder for “Terra Stations” is “ajkhoeiiokighlmdnlakpjfoobnjinie”. BlackGuard seems to be for Edge/EdgeBeta addons listed under:

For Chrome it seems to be for these addons:

Cryptocurrency

The malware additionally steals cryptocurrency wallets. It copies the pockets listing for every of the next crypto wallets under and sends them to its command & management.

It should additionally question the registry for the set up path of “Sprint” and “Litecoin” keys and do the identical.

Messaging and gaming purposes:

BlackGuard helps the stealing of a variety of messaging purposes. For among the purposes equivalent to Telegram, Discord and Pidgin, the malware has a selected handler for every. For instance, for Discord, it copies all information for the next folders within the Software Information folder which saved the Discord tokens: “DiscordLocal Storageleveldb”, “Discord PTBLocal Storageleveldb”, “Discord Canaryleveldb”. As well as, it copies all strings in recordsdata with the extension of “.txt” and “.ldb” in the event that they match Discord’s token common expression. (Determine 6)

Determine 6. Stealing Discord’s tokens and information.

Beneath is the listing of messaging purposes the malware seeking to steal delicate data from:

Outlook, FTP, VPN, and different purposes

BlackGuard steals login information and different delicate data from further communication applications. For e mail purposes, the malware queries particular Outlook registry keys below the CURRENT_USER hive to extract consumer, password and server data. (Determine 7)

Determine 7. Exfiltration of Outlook saved data.

The malware additionally handles completely different FTP and VPN purposes to extract saved customers and passwords. For instance, for NordVPN, the malware will search the appliance’s folder and if discovered, it parses all consumer.config recordsdata to extract the customers and passwords. (Determine 8)

Determine 8. Exfiltrating NordVPN data.

Along with Outlook and NordVPN, BlackGuard additionally steals data from WinSCP, FileZilla, OpenVPN, ProtonVPN and Complete Commander.

Different information collected      

Moreover, the malware additionally collects data from the machine equivalent to anti-virus software program put in on the machine, exterior IP handle, localization, file system data, OS and extra.

New BlackGuard options

Crypto pockets hijacking

Along with stealing crypto wallets saved/put in on the contaminated machine, BlackGuard is hijacking cryptocurrency addresses copied to clipboard (equivalent to CTRL+C) and changing them with the menace actor’s handle. This will trigger a sufferer to ship crypto property to the attacker with out noticing it when attempting to switch/pay to different wallets. That is finished by monitoring any content material copied to the clipboard and matching it to relative completely different crypto wallets’ regex. (Determine 9)

Determine 9. Particular regex to look in clipboard for listed cash.

As soon as there’s a match, the malware will question its command and management for the choice pockets and substitute it within the clipboard as an alternative of the one which was copied by the consumer. The malware helps stealing the favored crypto property under:

Propagate by way of shared / detachable units

Though this characteristic was restricted since Home windows 7 for use just for CDROM, the malware copies itself to every accessible drive with an “autorun.inf” file that factors to the malware to execute it mechanically. This consists of detachable and shared units. For instance, if a USB gadget is related to an outdated model of Home windows, the malware shall be executed mechanically and infect the machine. (Determine 10)

Determine 10. Propagate to all accessible drives.

Obtain and execute further malware with course of injection

The brand new variant of BlackGuard downloads and executes further malware from its command & management. The newly downloaded malware is injected and executed utilizing the “Process Hollowing” technique. With that the malware shall be operating below official/whitelisted processes and might make extra detection tougher. (Determine 11)

Determine 11. Obtain and execute further malware utilizing course of injection.

The focused course of is RuntimeDirectory folder, RegASM.exe (C:WindowsMicrosoft.NETFramework64runtime_versionRegAsm.exe)

Huge malware duplication

The malware copies itself to each folder in C: drive recursively, every folder the malware generates a random title to be copied to. This characteristic shouldn’t be widespread for malware, and that is largely annoying, because the malware beneficial properties no benefit from that.

Persistence
The malware added persistence to outlive system reboot by including itself below the “Run” registry key. (Determine 12)

Determine 12. Setting registry persistence.

Paperwork – stealth exercise

The malware searches and sends to its command and management all paperwork finish with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” within the consumer folders (together with sub directories): “Desktop”, “My Paperwork”, UserProfile folder.

Detection strategies

The next related detection strategies are in use by Alien Labs. They can be utilized by readers to tune or deploy detections in their very own environments or for aiding further analysis.

Related indicators (IOCs)

The next technical indicators are related to the reported intelligence. A listing of indicators can also be accessible within the OTX Pulse. Please observe, the heartbeat could embrace different actions associated however out of the scope of the report.

Mapped to MITRE ATT&CK

The findings of this report are mapped to the next MITRE ATT&CK Matrix strategies:

• TA0001: Preliminary Entry
  • T1091: Replication By way of Detachable Media
• TA0002: Execution
  • T1106: Native API
  • T1047: Home windows Administration Instrumentation
• TA0003: Persistence
  • T1547.001: Registry Run Keys / Startup Folder
• TA0005: Protection Evasion
  • T1027: Obfuscated Recordsdata or Info
• TA0006: Credential Entry
  • T1003: OS Credential Dumping
  • T1539: Steal Net Session Cookie
  • T1528: Steal Software Entry Token
  • T1552: Unsecured Credentials
    • .001: Credentials In Recordsdata
    • .002: Credentials In Recordsdata
• TA0007: Discovery
  • T1010: Software Window Discovery
  • T1622: Debugger Evasion
  • T1083: File and Listing Discovery
  • T1057: Course of Discovery
  • T1012: Question Registry
  • T1082: System Info Discovery
  • T1497: Virtualization/Sandbox Evasion
• TA0008: Lateral Motion
  • T1091: Replication By way of Detachable Media
• TA0009: Assortment
  • T1115: Clipboard Information
  • T1213: Information from Info Repositories
  • T1005: Information from Native System
• TA0011: Command and Management
  • T1071: Software Layer Protocol
  • T1105: Ingress Device Switch
• TA0010: Exfiltration
  • T1020: Automated Exfiltration