![]() ![]() ![]() In Figure 8, we can see that BlackGuard Infostealer stole information about an Exodus crypto wallet and a Google Chrome wallet from the compromised system. The log file “ Cookies_Chrome2.txt” contains the session cookie details along with the session key and the associated website. Figure 5, shows how Blackguard Infostealer stores stolen cookies from the Chrome browser. BlackGuard Infostealer exfiltrates web session cookies from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple’s Safari. Once that is accomplished, the attackers can inject malicious code into various web resources specific to the user account and injected code can be distributed to large sets of users by sharing tampered resources. Stealing session cookies allows attackers to conduct session hijacking, allowing them to interact with the web server as the victim without ever having to provide credentials. Web servers often use cookies to store session state that is to say, they signal to the server that a user has already successful authenticated to the system. The stolen credentials are stored in a “ password.txt” file on the C&C server which contains the usernames, passwords, and associated URLs. In our research of BlackGuard Infostealer we identified an exposed command and control (C&C) administrator panel (Figure 1) and analyzed the stolen data stored within. The exfiltrated credentials are stored on the C&C server and then used to conduct additional attacks such as credential stuffing, account creation, and online fraud. ![]() The stolen data is compressed and exfiltrated in the same HTTP-based communication channel that the attackers use for command and control (C&C). Once Blackguard Infostealer has infected a victim’s device, it initiates techniques such as system Application Programming Interface (API) hooking, Dynamic Link Library (DLL ) injection and resource hijacking to steal credentials from browsers, messenger clients, and other client-side software. By understanding what types of data attackers want, we can better understand the value Blackguard offers its authors and writers, and therefore how malware fits into the broader cybercrime ecosystem.Īttackers distribute Blackguard using a variety of techniques, including drive-by downloads and phishing emails containing malicious attachments. Blackguard is designed to steal a wide range of personal data, including credentials, cookies, messaging history, browsing history, cryptocurrency wallet information, and screenshots from the infected machine. 1, 2 This article aims to expand on existing research by exploring its data exfiltration capabilities in greater detail. Other security researchers have already documented how the malware operates and its dissemination via underground Russian crimeware forums. Blackguard Infostealer is a malware strain that was first discovered infecting Windows devices at the start of 2022. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |