ImBetter Stealer

ImBetter is threatening software that is designed to steal sensitive information from computer systems and installed applications. This malware is capable of extracting a wide range of personal and confidential data, such as passwords, login credentials, credit card information, and other sensitive data that can be used for fraudulent activities. Details about the attack chain and capabilities of the threat were released in a report by the cybersecurity researchers at Cyble Research and Intelligence Labs.

Threat Actors Imitate Legitimate Cryptocurrency Websites to Spread the ImBetter Stealer

Cybercriminals are using phishing websites that mimic popular cryptocurrency wallets and online file converters to target Windows users. These malicious websites are designed to trick users into downloading information-stealing malware, which can compromise their sensitive data.

The newly discovered ImBetter information-stealing malware is capable of stealing victims' confidential browser data, including saved login credentials, cookies, user profiles, and cryptocurrency wallets. Additionally, the malware takes screenshots of the victim's system and sends them to the attackers.

In both cases of phishing websites, the user's interaction with the website, such as clicking on certain buttons or links, triggers the infection process. Once the malware is installed, it operates silently in the background, collecting data and sending it back to the attackers.

This type of cyberattack is particularly dangerous because it can go undetected for extended periods, allowing the attackers to steal significant amounts of data.

Threatening Capabilities of the ImBetter Stealer

The information-stealing malware examines the Language Code Identifier (LCID) code of the infected system to determine the language and region. If the system belongs to any of the regions associated with the Russian language, including Kazakh, Tatar, Bashkir, Belarusian, Yakut, or Russian-Moldova, the malware terminates itself. This suggests that the attackers are likely Russian speakers.

If the system does not belong to one of the identified regions, the malware takes a screenshot of the system and saves it in the C:\Users\Public folder with the filename 'Scr-urtydcfgads.png.' The screenshot is then sent to the Command and Control (C2, C&C) server.

Once a socket connection is established to the C&C server, the information-stealing malware gathers various details about the infected system. This includes the hardware ID, GPU details, system RAM size, CPU details, screen details, and the name of the malware executable.

The malware stores each system detail separately as a key-value pair string in memory. This string is then encoded using the Base64 format and transmitted to the C&C server over the socket that was established in an earlier stage.

Once the ImBetter has finished extracting system information, it checks for browser applications installed on the infected device. The malware is capable of compromising over 20 different browsers. Based on the browsers targeted by the malware, it appears to focus heavily on Chromium-based web browsers. Additionally, the ImBetter Stealer is capable of targeting nearly 70 different types of cryptocurrency wallets.

This behavior demonstrates the advanced capabilities of the information-stealing malware and the high level of sophistication of the attackers behind it. It is crucial to remain vigilant when browsing the internet, keep software up-to-date, and use anti-malware software to reduce the risk of infection.