Bandit malware attacks 17 browsers, FTP and email clients

Bandit malware attacks 17 browsers

Zscaler ThreatLabz recently tracked “Bandit Malware”, a new info-stealer that appeared in April 2023 and plucked the following data from 17 browsers:-

  • Cookies
  • Registrations
  • Credit cards

Bandit Stealer swipes credentials for FTP and email clients which are popular not only that it goes after desktop crypto wallets too.


The malware, encoded in Go (Golang), and the stolen data are sent to a C2 server via Telegram. Apart from this, the malware also has the ability to stealthily bypass virtual environments and automated analysis tools.

Bandit Stealer evades analysis

The Bandit stealer bypasses both automated and manual analysis by applying various anti-analysis techniques. It uses the procfs Golang library to collect process information and scans for the following process which we have mentioned below:-

  • Xen
  • vmware
  • virtual box
  • KVM
  • Sandpit
  • QEMU
  • jail

When a process matches these names, the Bandit infostealer automatically terminates execution and the latest Bandit samples verify the presence of debugger using the Windows API via the following calls:-

  • IsDebuggerPresent
  • Check RemoteDebuggerPresent

Bandit obtains UUID and screen dimensions by using the following WMIC commands:-

  • wmic csproduct gets uuid
  • wmic desktop monitor get screen height, screen width

The information gathered helps threat actors recognize analytics setups. To spot the virtual environments, trick the security vendors and evade suspicion, the Bandit stealer makes use of a wide list of the following:-

  • IP addresses
  • MAC addresses
  • Computer names
  • Usernames
  • Process names

From the ‘’ Bandit retrieves the external IP address of the system and then from the attachment it extracts a list of blacklisted IP addresses to compare them with the external IP address of the system .

Bandit steals the MAC address via GetAdaptersAddresses Windows API and then compares it against an appendix blacklist. If there is a match, Bandit will shut down and the MACs associated with virtualization may be blacklisted to bypass sandboxes.

Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the victim’s username and computer name.

Using the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the attachment. If a blacklisted process is found running in memory, Bandit will terminate.


Below we have listed all the browsers that are targeted by Bandit Stealer:-

  • Yandex browser
  • Iridium Browser
  • 7Star Browser
  • Vivaldi Browser
  • Google Chrome
  • track
  • Sputnik
  • uCozMedia
  • Microsoft Edge
  • Torch web browser
  • Kometa Browser
  • CentBrowser
  • Brave Software
  • Amigo Browser
  • Epic privacy browser
  • SeaMonkey browser
  • QupZilla

Targeted cryptocurrency wallets

Below we have mentioned all the cryptocurrency wallets that Bandit Stealer is targeting:-

  • Coinbase wallet extension
  • Saturn Wallet extension
  • Binance chain wallet extension
  • Coin98 Wallet
  • TronLink wallet
  • multibit Bitcoin
  • Terra station
  • Electron Cash
  • Guildwallet extension
  • Electrum-btcp
  • MetaMask extension
  • Bither Bitcoin Wallet
  • ronin wallet extension
  • multidose coin
  • Cardiachain wallet extension
  • LiteCoin
  • Jaxx Liberty wallet
  • Dash wallet
  • Math Wallet extension
  • Ethereum
  • Bitpay wallet extension
  • Exodus
  • Handy Wallet extension
  • Atom
  • armory
  • Bytecoin wallet
  • Coinomi wallet
  • Monero wallet
  • dogecoin

FTP client apps targeted

Below we have mentioned all the FTP client applications that Bandit Stealer targets:-

  • BlazeFTP
  • NovaFTP
  • Staff FTP
  • EasyFTP
  • DeluxeFTP
  • GoFTP
  • 32BitFtp

Email clients targeted

Below we have mentioned all the email clients that Bandit stealer is targeting:-

  • MailSpring
  • Mail bird
  • Opera Mail
  • pocomail

Stolen data is contained in files in a subfolder in the %appdata%\local folder and the name of the subfolder follows [country_code][ip_address] format.

Information collected by Bandit Stealer (Source – Zscaler)

While the USERINFO.txt file contains the Bandit Stealer header and system info.

USERINFO content (Source – Zscaler)

Bandit uses the Windows 10 v1803 standard cURL utility for versatile data transfer through various standards such as:-

In addition, from a hard-coded URL, it downloads the configuration information from the blacklist by exploiting “”.

Downloaded Bandit Stealer blacklist configuration (Source – Zscaler)

Bandit sends this information to the threat actor via Telegram once data collection is complete.

Automated parsing and data extraction by the Bandit threat actor results in a JSON encoded response.

“AI-Based Email Security Measures Protect Your Business From Email Threats!” – Request a free demo.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *