New Infostealer Malware Distributed on Dark Web
Russian hacking underground forums have always been fertile ground for malware distribution. Security researchers have only recently discovered a new strain of malware being sold on one of those forums.
The new malware acts as an infostealer and goes by the name of BlackGuard. The malware was spotted by security researchers with cloud security company zScaler. They found that BlackGuard is being sold on a malware-as-a-service basis, with the authors charging a $200 monthly fee for its use.
BlackGuard sold both as a service and as a one-time purchase
In addition to the monthly "subscription" fee for the malware, the authors also offer a one-time upfront purchase of $700, giving lifetime access. This seems like a curious decision, given how expensive the monthly subscription is in comparison.
BlackGuard comes with all the functionality you would expect from an infostealer. It can scrape passwords, autofill form data, browser history and cookies, as well as message history saved in apps such as Discord, Telegram and Element. The malware is also able to target wallet files containing a number of cryptocurrencies, including Ethereum and Bitcoin ones.
According to zScaler, the infostealer is still being actively developed but is already boasting a number of features to make it more appealing to potential affiliates or buyers. BlackGuard already has obfuscation and anti-debugging capabilities built into it to make infosec researcher work on it harder.
BlackGuard avoids targets located in CIS countries
It's not too difficult to imagine what the origins of the malware are, given that it checks the country of origin of the system it lands on and if it's Russia or one of the former Soviet republics, collectively referred to as the Commonwealth of Independent States, the process simply terminates itself.
The infostealer scrapes all data it can find on the target system, then packs everything up in an archive file and sends the collected information over to its command and control servers, using HTTP POST requests.
While there are other, more feature-rich and more popular infostealers out there, researchers warn that BlackGuard is gaining traction and should be watched closely because it may grow into a more dangerous threat soon.