The Blackguard Stealer malware has been spotted in the wild with new features and extended capabilities. The malware authors have added several new features, including USB propagation, persistence mechanisms, the ability to inject more payloads into memory, and the ability to target more crypto wallets.
Exploring new features
- First of all, the latest Blackguard Stealer variant comes with a clipper module that functions as a crypto wallet hijacker.
- It hijacks crypto wallets copied to the victim’s clipboard and replaces it with the attacker’s address, to divert cryptocurrency transactions to their own wallets.
- Secondly, it can propagate itself automatically via USB sticks and other removable devices to infect other systems.
- Thirdly, it can download additional payloads from its C2 server and run them directly in the breached system’s memory using process hollowing. This technique allows attackers to evade detection from any antivirus tools installed on the targeted system.
- The last two features are focused on persistence mechanisms. It copies itself to every folder in the C:\ drive giving each copy a random name. Further, it adds itself under the Run registry key to remain persistent between reboots.
Stealing data
In November 2022, the malware authors announced the new variant in its Telegram channel with the new features and offered free help with installing the C2 panel.
- The malware steals sensitive information from a wide range of applications and browsers. It collects the stolen data, archives it using a password, and sends it to its C2.
- According to AT&T researchers, the latest Blackguard Stealer variant targets as many as 57 crypto browser wallets and extensions while it could steal data from only 47 wallets till August 2022.
Browsers, extensions, wallets, and apps
- BlackGuard Stealer targets browsers such as Chromium, Chrome, ChromePlus, Iridium, 7Star, Chedot, CentBrowser, Edge, and Edge Beta, and steals browsers’ cryptocurrency add-ons data.
- The targeted wallets include Zcash, Atomic, Armory, BitcoinCore, Binance, DashCore, Electrum, Ethereum, Exodus crypto, Guarda, Zap, and LiteCoinCore, among others.
- It also targets multiple extensions that include Auvitas, Binance, BitApp, Guild, Metamask, Phantom, Slope Wallet, Starcoin, Swash, Ronin, and Zecrey.
- The top messaging applications it leverages in its missions are Discord, Telegram, WhatsApp, and Pidgin along with gaming apps, email clients, and FTP or VPN tools.
Conclusion
BlackGuard Stealer developers are constantly adding extensive app-targeting capabilities and new features to make malware detection and removal more difficult. The latest malware variant shows how malware developers are evolving their malware with effective features that pose significant risks to users and simultaneously make it difficult for security analysts worldwide to detect and mitigate the threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_155296784.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_377739694.jpg)
