This malware will take screenshots, steal your passwords and files - and drain your cryptocurrency wallet

'SquirtDanger' is distributed to users to deploy as they see fit - and attacks have been carried out around the world.
Written by Danny Palmer, Senior Writer

A new strain of malware allows hackers to take action screenshots and steal passwords, to download files and even steal the contents of cryptocurrency wallets.

Named 'SquirtDanger' after a dynamic-link library (DLL) file consistently served by its distribution servers, the malware is written in C Sharp and has multiple layers of embedded code. The malware is set up to perform its tasks on an infected PC every minute in order to hand the attacker as much information as possible.

Uncovered by Palo Alto Networks Unit 42 researchers, the malware has infected individuals and organisations around the world, including a Turkish university, an African telecommunications company and a Singaporean internet service provider.

Given SquirtDanger is for sale for any user who wants to buy it, so no specific industry is under attack. But those who do opt to make use of it have a large box of malicious tricks at their disposal.

Attackers gain access to a wide variety of functions through the malware, including taking PC screenshots, sending, downloading and deleting files, and stealing passwords. Other functions include swiping directory information and potentially taking the contents of cryptocurrency wallets using switch tactics similar to those found in ComboJack malware.

"Being infected with any type of malware represents significant danger to an individual or victim, however, because of the large list of capabilities this malware family includes, it would certainly be very bad for the victim," Josh Grunzweig, senior malware researcher in the Unit 42 team at Palo Alto Networks told ZDNet.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

As a form of commodity malware, it's the choice of the criminal as to how they deliver the malicious software to victims. However, researchers said one of the most observed means of delivery has been through trojanised software downloads.

With the malware particularly potent, it might be expected that it would be the work of an organised cybercriminal gang, but Unit 42 has traced the development of the malicious application to the work of a single author.

"It represents the work of an individual who has developed malware for quite some time, and is familiar with both malware development, as well as the current trends on the criminal underground," said Grunzweig.

See: Ransomware: An executive guide to one of the biggest menaces on the web

The researchers say the developer is based in Russia and has been active on global underground markets for many years.

In total, researchers have uncovered 1,277 unique SquirtDanger samples across a number of campaigns tied to 119 unique C2 servers that were geographically dispersed, but with hubs in France, Netherlands, French Guinea and Russia. However, these figures might not represent the whole picture.

"There is always the possibility that many more malware samples from this family may exist in the wild," said Grunzweig


Editorial standards