Bandit Malware Attacks 17 Browsers, FTP & Email Clients to Steal Credentials

Zscaler ThreatLabz recently tracked “Bandit Malware,” a new info stealer that appeared in April 2023 and snatched the following data from 17 browsers:-

• Cookies
• Logins
• Credit cards

Bandit Stealer swipes credentials for FTP and email clients that are popular, and not only that even it also goes after desktop crypto wallets as well.

The malware, coded in Go (Golang), and the data that is stolen is sent to a C2 server through Telegram. Apart from this, the malware also has the ability to evade virtual environments and automated analysis tools stealthily.

Bandit Stealer Evades Analysis

The Bandit stealer evades both automated and manual analysis by employing several anti-analysis techniques. It leverages the procfs Golang library to gather process info and scans for the following process that awe have mentioned below:-

• Xen
• Vmware
• VirtualBox
• KVM
• Sandbox
• QEMU
• jail

When a process matches these names, the Bandit info stealer automatically ends the execution, and the latest Bandit samples verify debugger presence using the Windows API through the following calls:-

Bandit obtains UUID and screen dimensions by using the following WMIC commands:-

• wmic csproduct get uuid
• wmic desktopmonitor get screenheight, screenwidth

The gathered info aids threat actors in recognizing analysis setups. While to spot the virtual environments, trick the security vendors, and evade suspicion, the Bandit stealer makes use of a wide list of following things:-

• IP addresses
• MAC addresses
• Computer names
• User names
• Process names

From the ‘api.ipify.org’ Bandit fetches the system’s external IP, and then from the Appendix, it fetches a list of blacklisted IP addresses to compare them with the system’s external IP.

Bandit steals MAC address via GetAdaptersAddresses Windows API, then checks it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization may be in the blacklist to evade sandboxes.

Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the username and computer name of the victim.

By employing the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the Appendix. If a blacklisted process is found running in memory, Bandit terminates.

Browsers Targeted

Here below we have mentioned all the browsers that are targeted by Bandit Stealer:-

• Yandex Browser
• Iridium Browser
• 7Star Browser
• Vivaldi Browser
• Google Chrome
• Orbitum
• Sputnik
• uCozMedia
• Microsoft Edge
• Torch Web Browser
• Kometa Browser
• CentBrowser
• BraveSoftware
• Amigo Browser
• Epic Privacy Browser
• SeaMonkey browser
• QupZilla

Cryptocurrency Wallets Targeted

Here below we have mentioned all the cryptocurrency wallets that are targeted by Bandit Stealer:-

• Coinbase wallet extension
• Saturn Wallet extension
• Binance chain wallet extension
• Coin98 Wallet
• TronLink Wallet
• multibit Bitcoin
• Terra Station
• Electron Cash
• Guildwallet extension
• Electrum-btcp
• MetaMask extension
• Bither Bitcoin wallet
• ronin wallet extension
• multidoge coin
• Kardiachain wallet extension
• LiteCoin
• Jaxx liberty Wallet
• Dash Wallet
• Math Wallet extension
• Ethereum
• Bitpay wallet extension
• Exodus
• Nifty Wallet extension
• Atomic
• Armory
• Bytecoin Wallet
• Coinomi wallet
• Monero wallet
• dogecoin

FTP client apps targeted

Here below, we have mentioned all the FTP client applications that Bandit Stealer targets:-

• BlazeFTP
• NovaFTP
• Staff-FTP
• EasyFTP
• DeluxeFTP
• ALFTP
• GoFTP
• 32BitFtp

Email Clients Targeted

Here below we have mentioned all the email clients that the Bandit stealer targets:-

• MailSpring
• Mailbird
• Opera Mail
• Pocomail

Stolen data resides in files within a sub-folder in the %appdata%\local directory, and the sub-folder name follows [country_code][ip_address] format.

While the file, USERINFO.txt carries Bandit Stealer header and system info.

Bandit leverages Windows 10 v1803’s default cURL utility for versatile data transfer via several standards like:-

• HTTP
• FTP
• SMTP

Moreover, from a hardcoded URL, it downloads the blacklist configuration information by abusing the “pastebin.com”.

Bandit dispatches this information through Telegram to the threat actor once the data collection concludes.

Automated parsing and data extraction by the Bandit threat actor results in a JSON-encoded response.

Source: https://cybersecuritynews.com/bandit-malware-attacks-17-browsers/