AT&T Alien Labs researchers have detected a new variant of BlackGuard stealer in the wild. BlackGuard is malware as a service (MaaS) that collects information from various applications and browsers, including cryptocurrency wallets. The new variant of BlackGuard features new capabilities, including USB propagation, process hollowing, additional payload loading in memory, and persistence mechanisms. It has also upgraded its targeting scope to include 57 cryptocurrency browser extensions and wallets.
The malware can hijack crypto wallets copied to the clipboard and replace their addresses with the attacker's address to divert transactions to their wallets. It can propagate through removable media and shared devices, download additional payloads from the C2 server, and execute them directly in the breached computer's memory using process hollowing to evade detection from antivirus tools.
Furthermore, BlackGuard can add itself under the "Run" registry key to gain persistence between system reboots, and copy malware files to every folder in the C:\ drive, giving each copy a random name to make removal more challenging.
Below is a structured analysis of the BlackGuard malware:
- BlackGuard first checks for other running instances by creating a Mutex.
- The malware adds itself to the "Run" registry key to ensure it survives a system reboot.
- BlackGuard checks for debugger mode and a list of specific user names to avoid execution in a malware sandbox environment.
- The malware collects sensitive user data and stores it in specific folders, such as Browsers, Files, Telegram, etc.
- When it finishes collecting sensitive data, the malware zips the main folder using the password "xNET3301LIVE" and sends it to its command & control.
- BlackGuard collects cookies, history, and downloads of different browsers, and looks for special files and folders of different browsers.
- BlackGuard steals Chrome, Edge, and Edge Beta browsers' cryptocurrency add-ons data, supporting specific add-ons by looking for their hardcoded installation folder path in "Microsoft\Edge\User Data\Default\Local Extension Settings".
- The malware also steals cryptocurrency wallets, querying the registry for the installation path of Dash and Litecoin keys.
- BlackGuard supports the stealing of a wide range of messaging applications, with specific handlers for some applications like Discord.
- For email applications, the malware extracts user, password, and server information by querying specific Outlook registry keys under the CURRENT_USER hive.
- BlackGuard also handles different FTP and VPN applications to extract stored users and passwords. For example, for NordVPN, the malware searches the application's folder and parses all user.config files to extract the users and passwords.
The following TTP (Tactics, Techniques and Procedures) according to available data:
- PersistenceTactic: Persistence (TA0003)Technique: Registry Run Keys / Startup Folder (T1060)Procedure: Adds itself to the "Run" registry key to ensure persistence after system reboot.
- Defense EvasionTactic: Defense Evasion (TA0005)Technique: Mutex (T1024)Procedure: Creates a Mutex to check for other running instances and avoid detection.Technique: Execution Guardrails (T1480)Procedure: Checks for debugger mode and specific user names to avoid execution in a malware sandbox environment.
- CollectionTactic: Collection (TA0009)Technique: Data from Local System (T1005)Procedure: Collects sensitive user data from specific folders such as Browsers, Files, Telegram, etc.
- ExfiltrationTactic: Exfiltration (TA0010)Technique: Exfiltration Over Command and Control Channel (T1041)Procedure: Zips the collected sensitive data using the password "xNET3301LIVE" and sends it to its command & control.
- Collection and exfiltration of cryptocurrency-related dataTactic: Collection (TA0009), Exfiltration (TA0010)Technique: Data from Local System (T1005), Exfiltration Over Command and Control Channel (T1041)Procedure: Collects cryptocurrency add-ons data and cryptocurrency wallets data from specific locations of Chrome, Edge, Edge Beta browsers, and Dash and Litecoin keys installation path in the registry. Then, the malware exfiltrates the data to its command & control.
- Collection and exfiltration of messaging application dataTactic: Collection (TA0009), Exfiltration (TA0010)Technique: Data from Local System (T1005), Exfiltration Over Command and Control Channel (T1041)Procedure: Collects messaging application data and handles different messaging applications, including Discord. Then, the malware exfiltrates the data to its command & control.
- Collection and exfiltration of email application dataTactic: Collection (TA0009), Exfiltration (TA0010)Technique: Data from Local System (T1005), Exfiltration Over Command and Control Channel (T1041)Procedure: Extracts user, password, and server information from specific Outlook registry keys under the CURRENT_USER hive. Then, the malware exfiltrates the data to its command & control.
- Collection and exfiltration of FTP and VPN application dataTactic: Collection (TA0009), Exfiltration (TA0010)Technique: Data from Local System (T1005), Exfiltration Over Command and Control Channel (T1041)Procedure: Handles different FTP and VPN applications to extract stored users and passwords. For example, for NordVPN, the malware searches the application's folder and parses all user.config files to extract the users and passwords. Then, the malware exfiltrates the data to its command & control.
BlackGuard is sold to cybercriminals on Russian-speaking forums as MaaS for $200/month or a lifetime price of $700. The new variant was discovered by AT&T, who warned that the malware is still very active, with its authors constantly improving it while keeping the subscription cost stable.
To avoid BlackGuard infections, users should avoid downloading executables from untrustworthy websites, not launch files arriving as email attachments from unknown senders, and keep their system and antivirus tools updated.
0 Comments