A new strain of malware allows hackers to take action screenshots and steal passwords, to download files and even steal the contents of cryptocurrency wallets.
Named 'SquirtDanger' after a dynamic-link library (DLL) file consistently served by its distribution servers, the malware is written in C Sharp and has multiple layers of embedded code. The malware is set up to perform its tasks on an infected PC every minute in order to hand the attacker as much information as possible.
Uncovered by Palo Alto Networks Unit 42 researchers, the malware has infected individuals and organisations around the world, including a Turkish university, an African telecommunications company and a Singaporean internet service provider.
Given SquirtDanger is for sale for any user who wants to buy it, so no specific industry is under attack. But those who do opt to make use of it have a large box of malicious tricks at their disposal.
Attackers gain access to a wide variety of functions through the malware, including taking PC screenshots, sending, downloading and deleting files, and stealing passwords. Other functions include swiping directory information and potentially taking the contents of cryptocurrency wallets using switch tactics similar to those found in ComboJack malware.
"Being infected with any type of malware represents significant danger to an individual or victim, however, because of the large list of capabilities this malware family includes, it would certainly be very bad for the victim," Josh Grunzweig, senior malware researcher in the Unit 42 team at Palo Alto Networks told ZDNet.
As a form of commodity malware, it's the choice of the criminal as to how they deliver the malicious software to victims. However, researchers said one of the most observed means of delivery has been through trojanised software downloads.
With the malware particularly potent, it might be expected that it would be the work of an organised cybercriminal gang, but Unit 42 has traced the development of the malicious application to the work of a single author.
"It represents the work of an individual who has developed malware for quite some time, and is familiar with both malware development, as well as the current trends on the criminal underground," said Grunzweig.
The researchers say the developer is based in Russia and has been active on global underground markets for many years.
In total, researchers have uncovered 1,277 unique SquirtDanger samples across a number of campaigns tied to 119 unique C2 servers that were geographically dispersed, but with hubs in France, Netherlands, French Guinea and Russia. However, these figures might not represent the whole picture.
"There is always the possibility that many more malware samples from this family may exist in the wild," said Grunzweig
READ MORE ON CYBERCRIME
- Sneaky malware disguises itself as an Adobe Flash Player installer
- Government websites hijacked by cryptocurrency-mining malware [CNET]
- After court battle, Russia finally bans Telegram app
- Interview with a hacker: Gh0s7, leader of Shad0wS3c [TechRepublic]
- Hacker vs hacker: This cryptojacking malware kills off its rivals to ensure maximum profit