A hacking operation that delivers username and password-stealing malware onto victims' devices has been updated with new tricks in a bid to bolster their attacks by making them more efficient, stealthy and profitable.
How dangerous is this malware?
The malware, dubbed Predator the Thief, was first reported in July 2018 and can not only steal credentials including usernames, passwords, victims' browsing data and cryptocurrency from wallets but also take photos using the user's webcam.
The malware is often sold on the dark web and hacking forums and is regularly updated with more efficient versions as researchers at Fortinet's Fortguard Labs recently discovered.
How does it operate?
The malware uses phishing emails in the form of invoices to lure victims and has previously even used fake court summons bearing UK Ministry of Justice logos to make the documents look more authentic. The emails had asked the victim to click on a link and when they do the malware is delivered onto their computers.
Predator the Thief's current version (3.3.4) was released on Christmas Eve and has been updated with additional tricks to avoid detection, using shellcode to make the malware more effective at detecting debuggers and sandboxes – something it now scans for every five seconds.
The security researchers also found that the configuration of the command and control server is now more complex and detailed than before and also uses data encryption now, another reason why the malware becomes difficult to detect. Moreover, the Predator the Thief malware also has some file-less tricks up its sleeve. "This makes it more difficult for analysts to analyze its damage to the victim system," said Yueh-Ting Chen, security analyst at Fortinet.
Where does it originate from?
The malware appears to be Russia-based and Fortinet is "fairly certain" that the cyber criminals behind this malware are Russian-speaking. Also, the malware does not operate in Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan, which is another tell-tale sign that the attackers are Russian as they don't tend to target the aforementioned countries.
How to protect yourself?
In order to help protect against Predator the Thief attacks, researchers have previously recommended that macros are disabled by default and users need to be aware about the dangers of enabling them. Making sure that operating systems and software are both patched and up-to-date can also go a long way to stopping malware attacks being successful.
