New variant of BlackGuard stealer offers additional threat features
The AT&T Alien Labs team discovered a new version of the BlackGuard stealer with additional features such as USB propagation, persistence mechanisms, memory loading of new payloads, and targeting other cryptocurrency wallets. In addition, the team has warned that the malware is still being actively used, and its creators are continuing to develop it while maintaining consistent subscription costs.
Zscaler discovered and reported BlackGuard in March 2022 as a malware-as-a-service (MaaS) available on Russian-speaking forums for $200 per month or a lifetime price of $700. The new version of BlackGuard was released shortly after the Raccoon Stealer MaaS operation ended, and it quickly became popular among cybercriminals due to its extensive app-targeting capabilities.
Cookies and credentials stored in web browsers, data from cryptocurrency wallet browser extensions, desktop crypto wallet data, messaging and gaming app data, email clients, and FTP or VPN tools are BlackGuard’s primary targets. The most recent version of the malware adds several new features that make it a more serious threat.
The first feature is a clipper module that replaces cryptocurrency addresses copied to the Windows clipboard with the attacker’s address in order to redirect cryptocurrency transactions to their wallets. The clipper module includes hardcoded addresses for a variety of cryptocurrencies, including Bitcoin, Ethereum, Monero, Stellar, Ripple, Litecoin, Nectar, Bitcoin Cash, and DASH, making it compatible with a wide range of cryptocurrencies.
The second new feature of BlackGuard is its ability to spread via USB sticks and other removable devices, infecting any new devices it comes into contact with. The malware’s third feature is the ability to download additional payloads from its C2 server and execute them in the memory of compromised computers using the “process hollowing” technique to avoid detection by antivirus software.
The fourth new feature is BlackGuard’s ability to register itself under the “Run” registry key, allowing it to persist between system reboots. Finally, the malware duplicates its files into every folder on the C: drive, giving each copy a unique name.
The sources for this piece include an article in BleepingComputer.