The new stealer targets login credentials and bypasses anti-malware programs
The security researchers of the ThreatLabZ from Zscaler, Inc. (NASDAQ: ZS), a leader in cloud security, are warning about the new infostealer BlackGuard. This stealer is offered on hacker forums as malware-as-a-service at a monthly price of $ 200 or for lifetime use for $ 700. This distribution model has contributed to the strong growth of ransomware and phishing attacks since last year, as it reduces the technical hurdle for carrying out attacks. The ThreatLabZ team came across the new malware during their research in underground forums, which can steal all kinds of information related to crypto wallets, VPN, messengers, FTP credentials, saved browser credentials and email clients.
ThreatLabZ experts have analyzed the malware for its characteristics and techniques. BlackGuard is a .NET stealer with a crypto-packer, which after its execution on an infected system checks and terminates those processes there that are related to antivirus and sandboxes. Through a so-called string obfuscation, it can bypass antivirus programs and also uses user32!BlockInput, which prevents the user from making mouse and keyboard entries and thus starting debugging attempts.
If BlackGuard has successfully bypassed potential defensive attempts, the stealing function is called, which collects information from various browsers, software and encoded directories. The malware also infiltrates browsers and is able to steal login information from Chrome and Gecko-based browsers, including histories, passwords, autofill information and downloads. In addition, the malicious code allows the theft of crypto wallets and other sensitive files related to crypto applications, including crypto extensions for the Chrome and Edge browsers. After collecting the information, BlackGuard creates one .zip file containing all collected data and sends it along with the system information, such as hardware ID and country, to the destination server.
BlackGuard is not yet as versatile in its range of functions as other stealers, but is being continuously developed and is currently gaining a reputation in underground forums. To protect against this type of malware, the ThreatLabZ team recommends checking all traffic and using malware prevention tools that include both antivirus (for known threats) and sandboxing capabilities (for unknown threats). As is often the case in the case of cyber attacks, the human being is the largest attack surface and the strongest defense in this case as well. It is therefore recommended to train the end users in the following points and to remind them regularly in order to protect themselves in the best possible way:
- Change passwords regularly and never use the same passwords for all services
- Using multi-factor authentication
- Avoid surfing on unknown websites
- Do not open suspicious and unknown files