Category:

Malware Intelligence

Type/Family:

Stealer Malware

Industry:

Multiple

Region:

Global

‍

Executive Summary

On 06 July 2023, CloudSEK’s threat researchers found a web panel of a relatively new Bandit Stealer malware.
The malware is written in Go programming language.
We found at least 14 instances of Bandit Stealer web panels which were recently active.
The malware is being distributed through YouTube videos.
The stealer collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets.
The stealer targets more than 25 cryptocurrency wallets and 17 web browsers.
The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer.

‍

Analysis and Attribution

CloudSEK’s contextual AI digital risk platform XVigil has discovered a post mentioning Bandit Stealer malware on a Russian-speaking underground forum where a threat actor vouched for it.

‍

CloudSEK researchers recently discovered at least 14 IP addresses serving the Bandit Stealer web panel, most of which went down in a span of 24 hours. All of these IP addresses were running on port 8080.

‍

Bandit Web Panel Analysis

Our source identified a few website endpoints that allowed access to the website’s internal system without entering the credentials due to a misconfiguration on the website.

*Login page of Bandit Stealer web panel*

‍

Nothing particularly significant can be noted on the dashboard except a menu for options such as Builder and Results.

*Dashboard interface of the malware panel*

‍

The Builder page shows the options for building a customized version of Bandit Stealer malware. And, in the stealer operation, threat actors utilize key elements to carry out their activities:

Communication Channel: ChatID, Bot Token, and Server IP are utilized to establish a secure connection with Telegram. This connection enables the threat actors to receive exfiltrated data from infected users, such as compromised credentials and screenshots.
Cryptocurrency Wallet Addresses: Various cryptocurrency wallet addresses are employed to transfer cryptocurrency amounts to the threat actor’s wallet.
Loader URL: The Loader URL serves as a mechanism for distributing the malware. For instance, in malvertising campaigns, a hidden JavaScript code operates in the background and is responsible for dropping the executable malware file onto the victim's system. This URL is a crucial component in the initial infection process.
FileName: The FileName refers to the name assigned to the executable malware file. This file contains the malicious code responsible for the intended actions, such as data theft and exfiltration.

*Malware builder panel used for generating executable*

‍

One of the discovered endpoints was /builds that had all the Bandit Stealer builder that had been generated so far by this particular panel. Our source was able to acquire them for further analysis.

‍

Next, another identified endpoint was /clients with multiple instances of likely exfiltrated data from multiple IP addresses in JSON. In the JSON, the file name consists of the target’s Country Code + Public IP address, followed by size and the exfiltration date and time. While our analysis confirms the data to be sent to the Telegram bot, but we assume the malware likely also keeps a copy of the exfiltrated data in its web panel.

‍

Analysis of Stealer Logs

Our source was able to exfiltrate the stealer logs from their web panel for Analysis. One of the log files was from the test machine with lots of screenshots which they might have used for testing the malware. The screenshot shows the process of anti-reversing tools being killed using Command Prompt. The other screenshot shows the same process using PowerShell. As the malware has screen capture capabilities, it is assumed that the malware have captured these screenshots during the infection (likely on the test machine).

‍

*The process of killing anti-reversing tools*

‍

Another screenshot reveals the usages of a Telegram bot in the stealer malware as the C2 communication channel.

‍

‍

Malware Delivery Mechanism

The malware is being distributed through YouTube videos which is a commonly seen malware delivery mechanism among threat actors. In our previous report, we highlighted that since November 2022, there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions.

‍

‍

Technical Analysis

Bandit Stealer, a newly discovered form of information stealer malware, showcases advanced capabilities and evasive techniques. Written in the Go language, it employs various methods to circumvent detection by debugging tools and virtual machine environments, ensuring its covert operations remain undetected.

‍

To avoid analysis and hinder reverse engineering efforts, Bandit Stealer employs clever tactics. It actively checks for the presence of debuggers using techniques like IsDebuggerPresent and CheckRemoteDebuggerPresent. Furthermore, it possesses the ability to detect sandbox environments, swiftly shutting itself down if such environments are detected, thereby eluding analysis attempts. The malware even terminates reverse engineering tools that could potentially interfere with its functionality.

‍

Notably, Bandit Stealer has been observed spreading through YouTube videos to reach mass users.

‍

In order to establish persistence on infected systems, the malware creates an autorun registry entry, named "Bandit Stealer." By doing so, it ensures that the malicious code runs each time the machine is booted up.

*Collected PC, User, and IP Information*

‍

The stealer is designed to obtain valuable information from PCs and users. It discreetly collects data such as PC and user details, screenshots, geolocation and IP information, webcam images, and data from popular browsers, FTP applications, and digital wallets. The stolen data is then sent to a secure Telegram bot, packaged in a ZIP file for easy transfer.

‍

The Stealer employs a curated blacklist obtained from an external URL, in some instances a Pastebin URL, and stores it in C:\Users\USERNAME\AppData\Roaming\blacklist.txt and the file gets deleted once the stealer finishes execution. This blacklist serves a crucial role in determining whether the Stealer is running within a sandbox/virtual environment or on an actual system. Additionally, it aids in identifying specific processes and reversing tools that the Stealer aims to terminate in order to thwart any potential analysis or reverse engineering attempts.

‍

Blacklisted IP Addresses:

‍

Blacklisted Mac Addresses:

‍

The list of blacklisted HWIDs:

Blacklisted PC User and Names:

‍

Reversing Tools Termination

Blacklisted Processes
httpdebuggerui	wireshark	fiddler	regedit
cmd	taskmgr	vboxservice	df5serv
processhacker	vboxtray	vmtoolsd	vmwaretray
ida64	ollydbg	pestudio	vmwareuser
vgauthservice	vmacthlp	x96dbg	vmsrvc
x32dbg	vmusrvc	prl_cc	prl_tools
xenservice	qemu-ga	joeboxcontrol	ksdumperclient
ksdumper	joeboxserver

According to our open-source research, it appears that the Bandit Stealer uses an identical replica of the "blacklist.txt" file from an open-source stealer malware project called EMPYREAN available on Github.

*Identical blacklist.txt part of a open-source stealer malware on Github*

‍

Information Stealing & C2 Server Communication

Bandit steals web browser data that includes the theft of saved login information, crucial cookies, browsing history and sensitive credit card details stored within the browser's user profile.

List of Target Browsers
Chrome Browser	Iridium Browser	7Star Browser	Vivaldi Browser
Yandex Chrome	Orbitum	Orbitum	uCozMedia
Microsoft Edge	Torch Web Browser	Kometa Browser	CentBrowser
BraveSoftware	Amigo Browser	Epic Privacy Browser	SeaMonkey browser
QupZilla

The malware also targets a large list of digital cryptocurrency wallets.

List of Cryptocurrency Wallets
Coinbase wallet extension	Saturn Wallet extension	MetaMask extension	Bither Bitcoin wallet
Binance chain wallet extension	Coin98 Wallet	ronin wallet extension	multidoge coin
TronLink Wallet	multibit Bitcoin	Kardiachain wallet extension	LiteCoin
Terra Station	Electron Cash	Jaxx liberty Wallet	Dash Wallet
Guildwallet extension	Electrum-btcp	Math Wallet extension	Ethereum
Bitpay wallet extension	Exodus	Nifty Wallet extension	Atomic
Armory	Bytecoin Wallet	Coinomi wallet	Monero wallet
dogecoin

Here is an example of captured Firefox cookies by the Bandit Stealer.

*Theft of browser cookies by Bandit Stealer*

‍

The collected data is then packaged up into a ZIP file and then exfiltrated to the C2 server which points to the Telegram server (149.154.167.220).

‍

*Data exfiltration to the C2 server belonging to Telegram (****149.154.167.220***)

‍

Impact

Exposed credentials can be used by threat actors to access the user’s personal information, internal networks and steal sensitive files and information.
The stolen credentials can be sold on underground forums, thus making them available to the public, competitors, and other threat actors.
The attacks and the exfiltration of sensitive information can lead to the victim's loss of data, revenue, and reputation.
‍