The stolen credentials are stored in a “ password.txt” file on the C&C server which contains the usernames, passwords, and associated URLs. In our research of BlackGuard Infostealer we identified an exposed command and control (C&C) administrator panel (Figure 1) and analyzed the stolen data stored within. The exfiltrated credentials are stored on the C&C server and then used to conduct additional attacks such as credential stuffing, account creation, and online fraud. The stolen data is compressed and exfiltrated in the same HTTP-based communication channel that the attackers use for command and control (C&C).
#BLACKGUARDS TRAINER .DLL#
Once Blackguard Infostealer has infected a victim’s device, it initiates techniques such as system Application Programming Interface (API) hooking, Dynamic Link Library (DLL ) injection and resource hijacking to steal credentials from browsers, messenger clients, and other client-side software. By understanding what types of data attackers want, we can better understand the value Blackguard offers its authors and writers, and therefore how malware fits into the broader cybercrime ecosystem.Īttackers distribute Blackguard using a variety of techniques, including drive-by downloads and phishing emails containing malicious attachments. Blackguard is designed to steal a wide range of personal data, including credentials, cookies, messaging history, browsing history, cryptocurrency wallet information, and screenshots from the infected machine. 1, 2 This article aims to expand on existing research by exploring its data exfiltration capabilities in greater detail. Other security researchers have already documented how the malware operates and its dissemination via underground Russian crimeware forums.
#BLACKGUARDS TRAINER WINDOWS#
Blackguard Infostealer is a malware strain that was first discovered infecting Windows devices at the start of 2022.
0 kommentar(er)
