Uptycs, a cybersecurity firm, has recently released a statement that highlights a concerning new development in the world of cybercrime. According to Uptycs, Zaraza, a well-known malware that steals sensitive information, has found a new market on a popular Russian Telegram channel for hackers. Threat actors frequent the channel, and the malware targets many web browsers. Once installed on a victim’s computer, Zaraza extracts sensitive data and sends it to a Telegram server, where hackers can access it for malicious purposes. This news is particularly concerning as it suggests that cybercriminals are finding new and innovative ways to exploit unsuspecting individuals, making it more important than ever to stay vigilant online.
Further investigation into the Zaraza bot malware revealed that it is a 64-bit binary file compiled using C# to target 38 different web browsers, including popular ones like Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, AVG Browser, and Yandex. It was also found to take screenshots of the active window, exposing more details about the user’s activity on their computer.
Risk analysis shows that victims are in more danger than they believe, as stolen credentials not only allow threat actors unauthorized access to accounts but also aid in identity theft and financial fraud.
Despite limited information about the malware’s mode of propagation, information from Uptycs shows that it is offered as a commercial tool on subscription to cyber criminals. Previous records show hackers learned about the malware through social engineering and malvertising.
eSentire’s Threat Response Unit (TRU) disclosed a GuLoader (aka CloudEyE) campaign targeting the financial sector via phishing emails as part of the method of spreading the malware. The campaign focused on using tax-themed lures to deliver information stealers and remote access trojans (RATs) like the Remcos RAT.
A report from Kaspersky revealed that trojanized cracked software downloaded from BitTorrent or OneDrive plays an active role in deploying CueMiner, a .NET-based downloader that acts as a conduit for promoting the installation of a cryptocurrency miner called SilentCryptoMiner.
Further observations revealed an increase in malvertising and search engine poisoning techniques in malware distribution due to the success enjoyed by Zaraza. As the spread of stealer malware increases, users are encouraged to normalize using two-factor authentication (2FA).