Threat Database Malware Bandit Stealer

Bandit Stealer

Cybersecurity researchers have recently discovered an advanced information-collector malware called the Bandit Stealer. This stealthy malware has garnered attention due to its ability to target a variety of Web browsers and cryptocurrency wallets.

According to a report published by security researchers, this threatening software, developed using the Go programming language, has the potential to extend its reach to other platforms, ensuring potential cross-platform compatibility.

Currently, the Bandit Stealer primarily focuses on Windows systems. It exploits a legitimate command-line tool known as runas.exe, which permits users to execute programs with different permissions under another user's account. By utilizing this tool, the malware aims to elevate its privileges and gain administrative access. Consequently, it skillfully circumvents security measures, enabling it to collect vast amounts of data without detection.

The Bandit Stealer Establishes Persistence and Exfiltrates Sensitive Data

To execute the hurtful tool, cybercriminals must pass Microsoft's user access control measures. This means that the attackers must provide the necessary credentials when attempting to run the malware binary as an administrator. According to the researchers, that is why the attackers use the runas.exe command, as it enables users to run programs with elevated privileges, providing a secure environment for critical applications or system-level tasks. This utility is particularly beneficial when the current user account lacks sufficient privileges to execute specific commands or programs.

In addition, the Bandit Stealer incorporates various checks to establish if it is running within a sandbox or virtual environment. The threat also terminates a list of blacklisted processes to mask its presence on the compromised system and avoid attracting unnecessary attention.

Before initiating its data collection activities, which involve harvesting personal and financial information from Web browsers and cryptocurrency wallets, the Bandit Stealer establishes persistence through modifications in the Windows Registry.

As for the distribution method of the Bandit Stealer, it is believed that the malware is spread via phishing emails that contain a corrupted dropper file. This file opens a seemingly harmless Microsoft Word attachment, acting as a distraction while silently triggering the infection in the background.

The Market for Infostealers and Collected Data Continues to Grow

The accumulation of data by stealers provides ill-minded operators with various advantages, enabling them to exploit opportunities such as identity theft, financial gains, data breaches, credential stuffing attacks, and account takeovers. Additionally, the collected information can be sold to other crooks, serving as a foundation for subsequent attacks that may range from targeted campaigns to ransomware or extortion attempts.

These developments underline the ongoing evolution of the stealer malware into a more severe threat. Simultaneously, the Malware-as-a-Service (MaaS) market has made these tools easily accessible and has lowered the barriers to entry for aspiring cyber criminals.

In fact, cybersecurity experts have observed a thriving infostealer market, with the volume of stolen logs on underground forums, such as the Russian Market, exhibiting a staggering surge of over 600% between 2021 and 2023.


Most Viewed