Cracked software beats gold: new macOS backdoor stealing cryptowallets
A month ago, we discovered some cracked apps circulating on pirating websites and infected with a Trojan proxy. The malicious actors repackaged pre-cracked applications as PKG files with an embedded Trojan proxy and a post-install script initiating the infection. We recently caught sight of a new, hitherto unknown, macOS malware family that was piggybacking on cracked software. […]
JAVA-Based Sophisticated Stealer Using Discord Bot as EventListener
Executive Summary: In mid-November 2023, Trellix Advanced Research Center team members observed a Java-based stealer being spread through cracked software zip files using JDABuilder Classes to create an instance of the EventListener to easily register. The Stealer uses Discord bot channel as an EventListener. Delivery Mechanism: Figure 1: Infection Mechanism Threat Analysis: The Malicious ZIP […]
The Many Faces of Undetected macOS InfoStealers | KeySteal, Atomic & CherryPie Continue to Adapt
We have been reporting on the rise of infostealers targeting macOS since early last year, but threat actors show no signs of slowing down. Throughout last year, we saw variants of Atomic Stealer, macOS MetaStealer, RealStealer and others. Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen […]
Exploring FBot | Python-Based Malware Targeting Cloud and Payment Services
Executive Summary Overview The cloud hacktool scene is highly intertwined, with many tools relying on one another’s code. This is particularly true for malware families like AlienFox, Greenbot, Legion, and Predator, which share code from a credential scraping module called Androxgh0st. We identified a tool that is related but distinct from these families. FBot is a Python-based […]
Atomic Stealer rings in the new year with updated version
Last year, we documented malware distribution campaigns both via malvertising and compromised sites delivering Atomic Stealer (AMOS) onto Mac users. This stealer has proven to be quite popular in the criminal underground and its developers have been adding new features to justify its hefty $3000/month rental fee. It looks like Atomic Stealer was updated around mid to late December […]
Deceptive Cracked Software Spreads Lumma Variant on YouTube
FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant…
Approaching Stealers Devs (7 parts series)
To completely understand what’s going on in the info stealers market which has been growing in the last years…
Infostealer infection of an Orange employee results in BGP disruptions
Using the stolen account, the threat actor modified the AS number belonging to Orange’s IP address, resulting in major disruptions…
Key Learnings from Files Present on the C2 Server of an Infamous Infostealer Malware
This method can be applied to multiple other C2 servers that we come across on a daily basis to check for any security misconfigurations…
From LNK Payload to Infostealer Source Code
A ZIP/LNK payload and, with some luck, we will end up identifying the infostealer that is being dropped and its source code…
Infostealer – Trends and how to detect them before it’s too late
Infostealers are a type of malware designed to steal information from the victim system in order to send it to the attacker…
Mysterious hacker strikes Iran with major cyberattacks against industry leading companies
A hacker who goes by the username “irleaks” posted a thread in which they attempt to sell over 160,000,000 records of Iranians…
