Uptycs, an information security company, has discovered a new credential-stealing malware called Zaraza bot, which is sold on Telegram and uses the messenger as a command and control server (C2, C&C).
Zaraza bot targets a large number of web browsers and is actively spreading on the Telegram channel, which is popular among cybercriminals. Once the malware infects the victim's computer, it extracts sensitive data and sends it to a Telegram bot controlled by the attacker.
Zaraza bot is a 64-bit binary compiled with C#. When infected, the malware extracts all possible credentials stored on the victim's computer. Specifically, the stealer targets 38 different web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. The stealer is also capable of taking screenshots of the active window.
Note that the web browser stores credentials in the system in two encrypted formats (new versions of the browser use v80 password signing, and older versions use the Windows DPAPI function), but Zaraza bot is able to decrypt both formats.
The Zaraza bot then extracts credentials from online banking, cryptocurrency wallets, email, and other websites. The stolen data can then be used by hackers for malicious purposes such as identity theft, financial fraud, and unauthorized access to personal and corporate accounts.
According to Uptycs, the Zaraza bot is offered to other cybercriminals as a commercial tool for a subscription. It should be noted that access to the Telegram bot for subscribing is limited. Because of this, the Uptycs research team was unable to interact with the bot.
Analyzing HTTPS packets, the experts found that the Zaraza bot intercepted data containing the nickname and account information of a Russian user. This indicates that the Russian user is associated with either the bot administrator or a cybercriminal using the Zaraza bot.
It is currently unclear how the Zaraza bot is distributed, but in the past, cybercriminals commonly used 2 methods of distribution: malicious advertising and social engineering. To reduce the risk of stealer attacks, users are encouraged to use two-factor authentication (2FA) and apply software and OS updates as they become available.
The Uptycs findings come after the Microsoft Threat Intelligence team announced a new phishing campaign targeting accounting firms and tax authorities using the GuLoader downloader, which installs the Remcos RAT trojan, allowing initial access to corporate networks.