Infostealer written in Go language gives attackers the potential to carry out cross-platform malicious operations
A new stealthy malware capable of stealing information from browsers and cryptocurrency wallets has caught the attention of Trend Micro cybersecurity experts. The malware is called Bandit Stealer and is developed in the Go programming language, which hypothetically allows it to work on different platforms.
So far, Bandit Stealer has only attacked Windows using the legitimate "runas.exe" command-line utility, which allows you to run programs as a different user with a different list of system permissions. The main goal of hackers when using "runas.exe" is to gain administrative access and bypass security measures to collect a large amount of data.
“Using the runas.exe command, users can run programs as an administrator or any other user with appropriate rights, providing a more secure environment for performing critical applications or system tasks. This utility is especially useful in situations where the current user account does not have sufficient rights to execute a particular command or program,” Trend Micro said in a May 26 report.
Bandit Stealer checks to see if it's running in a sandbox or virtual environment and then terminates a number of system processes to hide its presence on the infected computer. The malware also provides persistence on the target system by modifying the Windows registry.
Bandit Stealer's malicious activity includes extracting personal and financial data stored in browsers and cryptocurrency wallets. The malware spreads through phishing emails containing a downloader file that opens a harmless Microsoft Word office document as a distraction, while the actual infection takes place in the background.
Data collected from stealth programs can benefit operators in many ways: it can be used for identity theft, financial gain, data privacy breaches, credential brute force attacks, and account takeovers. The stolen information can also be sold to other actors and serve as the basis for subsequent attacks, which can range from targeted campaigns to extortion or ransomware attacks.