OpenBullet Campaign: Cybercriminals Target Script Kiddies

What's OpenBullet?

• OpenBullet serves as a legitimate open-source pentesting tool used for automating credential-stuffing attacks. By utilizing a tailored configuration file along with acquired password lists, this tool can efficiently attempt logins on specific websites.
• OpenBullet is compatible with Puppeteer, a headless browser employed to automate web interactions. This eliminates the hassle of dealing with intrusive browser windows, simplifying the process of launching credential-stuffing attacks.

Distribution and infection

• These configurations connect to a GitHub repository to obtain a Rust-based dropper named "Ocean," designed to retrieve the subsequent payload component from the same repository.
• The executable component, a Python-based malware called "Patent," ultimately deploys a RAT. 

Capabilities of RAT

• Patent RAT employs Telegram as its C2 mechanism and executes commands for capturing screenshots, listing directory contents, terminating certain tasks, and stealing cryptocurrency wallet details, and passwords and cookies from Chromium-based browsers.
• It can target a range of browsers and crypto wallets, including Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and Mincoin.
• The trojan also functions as a clipper, actively monitoring the clipboard for cryptocurrency wallet addresses. It replaces contents that match a predefined pattern with an address controlled by the threat actor, thereby facilitating unauthorized fund transfers.

The bottom line