Malware-as-a-service is becoming one of the greatest contributors to cyberattacks since it makes entry for cybercriminals extremely easier. This is because most of the hacking forums are selling malware, trojans, and viruses which are being leveraged by many hackers.
In recent reports by Zscaler researchers, a new type of sophisticated credential stealer malware was found which was named “BlackGuard”. This malware is sold at a price of $700 lifetime and $200 a month.
This malware is capable of stealing information related to Crypto Wallets, Saved browser credentials, email clients, VPN messengers, and FTP credentials. This malware also has the ability to evade detection as well as anti-debugging.
Analysis
BlackGuard is still in the development stage. It is written in .NET packed with crypto packer.
Evasion
When this malware is executed, it is coded to kill processes related to antivirus and sandbox.
Source: zscaler
String Obfuscation
This malware has dual decoding. It is encoded in an array of bytes which is first decoded into ASCII strings during runtime. These ASCII strings are then decoded into base64. This helps to evade antivirus and string-based detection.
Anti-CIS
BlackGuard gathers information about the location of the infected device by making a request to “http://ipwhois.app/xml/“. If BlackGuard detects the location of a Commonwealth of Independent States (CIS), it exits the device.
Anti-Debug
BlackGuard can stop any disruption from users when debugging. This is achieved by the use of user32!BlockInput(). It blocks all mouse and keyboard inputs.
Stealer Function
After all the pre-checks are executed, BlackGuard executes the stealer function which collects various information about browsers, software, and other directories.
Browsers
BlackGuard steals credentials from Chrome and other Gecko-based browsers. It steals history, autofill information, passwords, and downloads.
Cryptocurrency Wallets
The malware also supports the stealing of wallet information and other sensitive information. It specifically targets sensitive data files such as wallet.dat which will contain the private key access to the wallet and other data. Usually, these files are stored in the AppData folder which is targeted by the malware.
Crypto Extensions
Most of browsers have extensions for crypto wallets for easy access to users. The malware also targets browsers such as Chrome and Edge for these extensions to steal sensitive information.
Command and Control (C2) Exfiltration
Once it collects all this information from the targeted machine, it converts the data into a single .zip file and sends it to the server by making a POST request. The request also contains information about the system Hardware ID and country.
Applications Targeted
Browsers
- Chrome
- Opera
- Firefox
- MapleStudio
- Iridium
- 7Star
- CentBrowser
- Chedot
- Vivaldi
- Kometa
- ElementsBrowser
- EpicPrivacyBrowser
- uCozMedia
- Coowon
- liebao
- QIPSurf
- Orbitum
- Comodo
- Amigo
- Torch
- Comodo
- 360Browser
- Maxthon3
- K-Melon
- Sputnik
- Nichrome
- CocCoc
- Uran
- Chromodo
- Edge
- BraveSoftware
Crypto Wallets
- AtomicWallet
- BitcoinCore
- DashCore
- Electrum
- Ethereum
- Exodus
- LitecoinCore
- Monero
- Jaxx
- Zcash
- Solar
- Zap
- AtomicDEX
- Binance
- Frame
- TokenPocket
- Wassabi
Crypto Wallet Extensions
- Binance
- coin98
- Phantom
- Mobox
- XinPay
- Math10
- Metamask
- BitApp
- Guildwallet
- iconx
- Sollet
- SlopeWallet
- Starcoin
- Swash
- Finnie
- KEPLR
- Crocobit
- OXYGEN
- Nifty
- Liquality
- Auvitaswallet
- Mathwallet
- MTVwallet
- Rabetwallet
- Roninwallet
- Yoroiwallet
- ZilPaywallet
- Exodus
- TerraStation
- Jaxx
Email Clients
Email Clients include Outlook
Other Applications
- NordVPN
- OpenVPN
- ProtonVpn
- Totalcomander
- Filezilla
- WinSCP
- Steam
Messengers
- Telegram
- Signal
- Tox
- Element
- Pidgin
- Discord
Conclusion
Though BlackGuard has not had many applications, it still poses a big threat as it is continuously being developed and improved by underground hackers.
In order to prevent stealer malware like BlackGuard,
- Inspect all traffic inbound and outbound
- Use MFA where it can be induced
- Prevent duplicate use of passwords
- Prevent unknown sites from being visited
- Prevent unknown from being opened
- Use sandbox for unknown threats