Photo by Morrowind/Shutterstock.com
The Blackguard stealer has been spotted in the wild again with better capabilities this time around by analysts from AT&T. The malware authors are still actively supporting it by constantly adding features while keeping the subscription cost steady.
Blackguard was first spotted by Zscaler in March 2022 being sold to cyber criminals for $200 per month on $700 upfront on Russian forums. Since it appeared shortly after the popular Raccoon stealer shut down, its adoption rate and app targeting capabilities were pretty good.
However, this latest version spotted by AT&T analysts adds five new features that make it much more dangerous. First up, its crypto wallet hijacker (clipper) module replaces copied wallet addresses in the clipboard with the attacker’s address in hopes of receiving funds when the user copies and pastes that address to send funds. The clipper also supports a fair number of cryptocurrencies, having hardcoded wallet addresses for Bitcoin, Bitcoin Cash, Dash, Ethereum, Litecoin, Monero, Nectar, Ripple, and Stellar.
It can also use USB sticks to spread itself to other systems, in addition to having the ability to download additional payloads from its C2 server and run them directly in the infected system’s memory using process hollowing, which avoids detection from any antivirus programs installed on the infected machine.
The last two features are focused on persistence and ensuring the malware is hard to remove. For starters, it can copy itself to every folder in the C:\ drive giving each copy a random name. It can also add itself under the Run registry key, giving it persistence between reboots. The latest variant also goes one step ahead and can steal sensitive information such as Discord tokens and browser cookies and data.
Overall, the Blackguard stealer now targets as many as 57 crypto browser wallets and extensions. For context, when it was first spotted in August 2022 it could only steal data from 47. Some of the targeted extensions include Binance, BitApp, Guildwallet, Metamask, Phantom, Slope Wallet, Starcoin and Ronin while targeted wallets include AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus crypto and LiteCoinCore among others.
In the News: Novel Android malware can hack 450 financial organisations