Predator the Thief
A new info stealer by the name Predator the Thief has been detected in several large-scale attacks recently. It appears that its author is a user called 'Alexuiop1337' who is currently selling Predator, the Thief on several Russian forums. The initial price was $35, but after several updates and perhaps seeing the interest it has garnered, the author of the Predator the Thief raised the price to $80. However, this did not diminish the interest in the Predator the Thief because even for $80 a threat with so many features is still a bargain.
It is not clear how the Predator the Thief is propagated, but it is highly likely that the main mean of distribution is mass spam email campaigns. So far, it was identified that the Predator the Thief was spread via WinRAR archives, which were crafted to achieve infiltration via the CVE-2018-20250 exploit specifically. Another method used was macro-laced documents attached to the fraudulent emails. Once it penetrates a system successfully, the Predator the Thief was programmed to check whether the machine is used in a sandbox environment. If the answer is positive, the Predator the Thief halts its attack.
However, if the computer the Predator the Thief landed on is not used for malware debugging, the Predator the Thief will begin scanning certain folders and Registry keys, which are known to hold sensitive data. The Predator the Thief targets a vast number of applications. This threat can collect data from Web browsers such as Mozilla Firefox, Google Chrome, Opera, Vivaldi, Comodo Dragon, Torch, Sputnik, and Chromium-based Web browsers. The Predator the Thief also can infiltrate a user's Discord account targeting the 'https_discordapp_*localstorage' data provided that the victim has the right configuration. The Predator the Thief also can collect data from the WinFTP and FileZilla applications. The authors of the Predator the Thief have made sure it also could infiltrate cryptocurrency wallet services that are used for storing Bitcoin, Ethereum, Armory, Electrum, Multibit, Bytecoing and others. This is done by manipulating the '.dat' and '.wallet' files. Users of the gaming platform Steam are not safe either. The Predator the Thief can gain access to their accounts by bypassing the 2FA security process used by Steam, and if this does not work, the same could be achieved in offline mode.
Once the Predator the Thief is satisfied with the data gathered, the personal information about the user targeted will be dumped in a file named 'information.log.' This file will contain the victim's country, city, ZIP code, approximate location, time zone and IP address. Then, 'information.log' and all other data that the Predator the Thief has collected will be sent to the servers of the attacker. When this is completed, the Predator the Thief will make sure to wipe itself off alongside all the traces it may have left while operating on the system.
If an info stealer is well-made as the Predator the Thief, it is very likely that the victims may never even realize that their systems have been infiltrated. It is of utmost importance that you have a legitimate anti-malware tool in place, and update it regularly because there are shady individuals all over the Internet just waiting for you to fall into one of their traps.