A hacking campaign that infects victims with username and password-stealing malware has been updated with new tricks as cyber criminals look to make their attacks more efficient, stealthier and more lucrative.
Predator the Thief malware first emerged in July 2018 and is capable of stealing usernames, passwords, browser data and the contents of cryptocurrency wallets, as well as taking photos using the infected victim's webcam.
The malware is commonly sold on underground hacking forums and has also featured as part of a bundle of six different forums of malicious software.
Predator the Thief is regularly updated with new capabilities and researchers at Fortinet's Fortiguard Labs have uncovered and analysed a new version of the malware – Predator the Thief v 3.3.4 – which was released on Christmas Eve.
It adds new phishing documents to use as the lure to hook victims, such as invoices; a previous campaign used a fake court summons as a lure. The malware has also been provided with more tricks to avoid detection and analysis, using shellcode to make the malware more effective at detecting debuggers and sandboxes – something it now checks for every five seconds.
Researchers also note the configuration of the command and control server is now more complex and detailed than it was in previous versions and that encryption is used in the connection – another instance of making analysis of the malware harder to do.
As well as this, Predator the Thief appears to have added some file-less capabilities, again making the malware trickier to monitor. "This makes it more difficult for analysts to analyze its damage to the victim system," said Yueh-Ting Chen, security analyst at Fortinet.
The malware will not operate in Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. Russian cyber criminals don't tend to target these countries and while the exact identity of the Predator the Thief creators isn't known, Fortinet has previously stated that it's "fairly certain" they're Russian-speaking.
The full list of Indicators of Compromise has been posted on the Fortiguard Labs analysis of the malware.
To help protect against Predator the Thief attacks, researchers have previously recommended that macros are disabled by default and users are educated about the dangers of enabling them. Ensuring that operating systems and software are both patched and up-to-date can also go a long way to stopping malware attacks being successful.
MORE ON CYBERCRIME
- Phishing attacks: Why we're still losing the battle against phoney emails
- Online phishing sites skyrocket in number during past year CNET
- This easy-to-use information-stealing trojan malware is quickly gaining popularity among cyber criminals
- Trojan malware is back and it's the biggest hacking threat to your business TechRepublic
- Hook, line and sinker: How I fell victim to phishing attacks - again and again