New Bandit Stealer targets web browsers and cryptocurrency wallets

Bandit Stealer is a new stealthy information stealer malware that targets numerous web browsers and cryptocurrency wallets.

Trend Micro researchers discovered a new info-stealing malware, dubbed Bandit Stealer, which is written in the Go language and targets multiple browsers and cryptocurrency wallets.

At this time, the malware only targets Windows systems, but experts pointed out that it has the potential to expand to other platforms because it is written in Go.

The malicious code relies on the Windows command-line utility program “runas.exe” to run programs as a different user with different permissions.

Using the tool, the malware elevates the user’s privileges and executes itself with administrative access without being detected. However, Trend Micro states Bandit Stealer is failing to use the tool because they need to provide the appropriate credentials.

Bandit Stealer performs some checks to determine if it’s running in a sandbox environment or testing environment.

The malware then terminates blacklisted processes associated with anti-malware solutions.

The Bandit Stealer maintains persistence by using an entry for autorun in Windows Registry.

The info-stealer collects a broad range of information and stores it in the “vicinfo” folder in <C:\Users\<Username>\AppData\Local\>.

“Additionally, the malware scans for specific browser extensions associated with cryptocurrency wallets by checking the path of the browser extensions.” reads the report published by Trend Micro.

Bandit Stealer is also able to collect Telegram sessions to gain unauthorized access, allowing impersonation and malicious actions such as accessing private messages and data associated with the compromised account

The information-stealing malware might have been downloaded by users while visiting malicious websites or by opening the attachment of a phishing email.

The attachment is a self-extracting archive that executes the hot.exe file to start the infection process. It also opens a harmless Word document to avoid raising suspicion.

“While Bandit Stealer was specifically developed to operate on Windows systems, we have observed the presence of Linux commands. As the binary sample of Bandit Stealer is designed to run in Windows, some Linux commands used by the malware ” concludes the report published by Trend Micro. “It is possible that these commands will be used in future cross-platform developments of the malware following the advertisement in the malware community stating developers are continuously updating the malware’s features and security patches.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)