Pierluigi Paganini
June 29, 2023
Fortinet FortiGuard Labs discovered a previously undetected information stealer named ThirdEye.
The malicious code is not sophisticated and can allow operators to steal various information from the infected machines.
Fortinet started investigating the threat after the discovery of an archive file with a file name in Russian, “Табель учета рабочего времени.zip” (“time sheet” in English). The zip archive contains two files with .exe extension preceded by another document-related extension (double extension).
The malware was in an executable that masqueraded as a PDF file with a Russian name “CMK Правила оформления больничных листов.pdf.exe,” (“CMK Rules for issuing sick leaves.pdf.exe” in English)
Screenshot of Figure 1. CMK Правила оформления больничных листов.pdf.exe
Upon executing it, the ThirdEye infostealer harvests system information, and enumerates files and folders, running processes, and network information. Then the malware sends collected data to C2 server.
The malware name comes from the string “3rd_eye” which ThirdEye decrypts and uses, along with another hash value, as ID when connecting to the C2 server.
The second file in the .zip archive is “Табель учета рабочего времени.xls.exe”, which shares the same file name with the parent file. This file is a ThirdEye infostealer variant-
The investigation revealed that the first sample of the malware was uploaded to the file-scanning service VirusTotal on April 4th, 2023.
This oldest sample was less efficient than recent samples and collected lesser information.
“Although there is no concrete evidence that ThirdEye infostealer was used in attacks, the malware is designed to collect information from compromised machines that is valuable for understanding and narrowing down potential targets. We believe this infostealer was designed for that purpose, and ThirdEye victims may be the subjects of future cyberattacks.” concludes the report. “Since most ThirdEye variants were submitted to a public scanning service from Russia, and the latest variant has a file name in Russian, the attacker may be looking to deploy malware to Russian-speaking organizations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ThirdEye)
