This password-stealing malware just got updated with new tactics to help it hide better

Predator the Thief updated again; make sure your systems are patched and staff are alert to the risks of phishing.
Written by Danny Palmer, Senior Writer

A hacking campaign that infects victims with username and password-stealing malware has been updated with new tricks as cyber criminals look to make their attacks more efficient, stealthier and more lucrative.

Predator the Thief malware first emerged in July 2018 and is capable of stealing usernames, passwords, browser data and the contents of cryptocurrency wallets, as well as taking photos using the infected victim's webcam.

The malware is commonly sold on underground hacking forums and has also featured as part of a bundle of six different forums of malicious software.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Predator the Thief is regularly updated with new capabilities and researchers at Fortinet's Fortiguard Labs have uncovered and analysed a new version of the malware – Predator the Thief v 3.3.4 – which was released on Christmas Eve.

It adds new phishing documents to use as the lure to hook victims, such as invoices; a previous campaign used a fake court summons as a lure. The malware has also been provided with more tricks to avoid detection and analysis, using shellcode to make the malware more effective at detecting debuggers and sandboxes – something it now checks for every five seconds.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Researchers also note the configuration of the command and control server is now more complex and detailed than it was in previous versions and that encryption is used in the connection – another instance of making analysis of the malware harder to do.

As well as this, Predator the Thief appears to have added some file-less capabilities, again making the malware trickier to monitor. "This makes it more difficult for analysts to analyze its damage to the victim system," said Yueh-Ting Chen, security analyst at Fortinet.

The malware will not operate in Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan. Russian cyber criminals don't tend to target these countries and while the exact identity of the Predator the Thief creators isn't known, Fortinet has previously stated that it's "fairly certain" they're Russian-speaking.

SEE: Travelex faces ransom demands following NYE malware attack

The full list of Indicators of Compromise has been posted on the Fortiguard Labs analysis of the malware.

To help protect against Predator the Thief attacks, researchers have previously recommended that macros are disabled by default and users are educated about the dangers of enabling them. Ensuring that operating systems and software are both patched and up-to-date can also go a long way to stopping malware attacks being successful.


Editorial standards