New malware discovered targeting web browsers and e-wallets to steal user information

A new report published on May 26 by Trend Micro - one of the world's largest providers of cybersecurity and anti-virus software - shows that the Bandit Stealer malware has the potential to expand to other platforms because it is developed in the Go programming language, which can allow cross-platform compatibility.

Illustration photo.

According to security experts, the Bandit Stealer malware is currently focusing on targeting the Windows operating system by using a legitimate command-line tool called runas.exe that allows users to run programs as a different user with different permissions.

The goal of this malware is to find a way to escalate privileges and execute itself as an admin access, effectively bypassing the operating system's security measures to collect a lot of user data.

This suggests that measures to mitigate Microsoft's access controls to prevent unauthorized execution of malware when administrators are asked to provide credentials are needed.

According to Trend Micro, by using the runas.exe command, users can run programs as an administrator or any other user account with appropriate privileges, providing a more secure environment to run critical applications or perform system-level tasks.

“This utility is especially useful in cases where the current user account does not have sufficient privileges to execute a particular command or program,” Trend Micro added.

The Bandit Stealer malware uses checks to determine whether it is running in an isolated, protected environment (also known as a sandbox) to try to bypass and hide its presence on the infected system.

The malware also attempts to modify the Windows Registry database before initiating data collection activities that include collecting personal and financial data stored in the user's web browser and digital wallet.

Bandit Stealer is believed to be distributed via phishing emails containing a phishing file, which contains a seemingly harmless Microsoft Word attachment virus as a ploy to distract users while triggering the infection.

Security firm Trend Micro said it also discovered a fake installer for Heart Sender, a service that automates the process of sending spam emails and SMS messages to multiple recipients, which is used to trick users into launching the embedded malware.

The move came as the cybersecurity firm discovered a Rust-based information stealer targeting Windows operating systems, using an attacker-controlled GitHub Codespaces cloud-based service account as a theft channel to capture victims' web browser credentials, credit cards, cryptocurrency wallets, and tokens on Steam and Discord chat apps.

The malware uses a relatively unusual tactic, achieving persistence on the system by modifying the installed Discord client to inject JavaScript code designed to harvest information from the application.

These new findings follow the emergence of several malware strains such as Luca, StrelaStealer, DarkCloud, WhiteSnake, and Invicta Stealer, some of which have been found spreading via spam emails and phishing versions of popular software.

Another notable trend is the use of YouTube videos to promote cracked software through compromised channels with millions of subscribers.

The data amassed by the thieves can benefit the operators in many ways, allowing them to exploit it for purposes such as identity theft, financial gain, data breaches, credential stuffing attacks, and account takeovers.

Stolen information can also be sold to other actors, serving as the basis for further attacks that can range from targeted campaigns to ransomware attacks.

These findings highlight the continued evolution of data-stealing software into a more dangerous threat, similar to the malware-as-a-service (MaaS) market.

Data from Dell's SecureWorks Counter Threat Unit (CTU) cybersecurity response division shows that the information theft crime market is growing strongly in the world, with the Russian market alone increasing by 670% between June 2021 and May 2023.

“What we’re seeing is an entire underground economy and supporting infrastructure built around spyware used to collect personal information,” said Don Smith, vice president of CTU. “Coordinated global action by law enforcement is having some significant impact, but cybercriminals are very good at reshaping their routes to market.”