To combat against BlackGuard and similar credential theft malware, we recommend that security teams inspect all traffic and use malware prevention tools that include both antivirus (for known threats) and sandboxing capabilities (for unknown threats). While applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it continues to be improved and is developing a strong reputation in the underground community. Telegram, Signal, Tox, Element, Pidgin, Discord Conclusion: NordVPN, OpenVPN, ProtonVpn, Totalcomander, Filezilla, WinSCP, Steam Messengers: Crypto Wallet Extensions:īinance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx. ![]() Crypto Wallets:ĪtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi. Panel screenshot Targeted Applications: Browsers:Ĭhrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Edge, BraveSoftware. zip of all the files and sends it to the C2 server through a POST request along with the system information like Hardware ID and country as shown in the figure below.įig 13. Crypto extensions stealing functionĪfter collecting the information, BlackGuard creates a. This stealer also targets crypto wallet extensions installed in Chrome and Edge with hardcoded extension IDs as shown in the figure below.įig 10. Crypto wallet stealing function Crypto Extensions: The stealer checks for the default wallet file location in AppData and copies it to the working folder.įig 9. It targets sensitive data in files such as wallet.dat that contain the address, the private key to access this address, and other data. Browser stealing function Cryptocurrency Wallets:īlackGuard also supports the stealing of wallets and other sensitive files related to crypto wallet applications. It has the capability to steal history, passwords, autofill information, and downloads.įig 8. Features Posted on forum Browsers:īlackGuard steals credentials from Chrome- and Gecko-based browsers using the static path. Anti-debugging technique Stealing Function:Īfter all the checks are completed, the stealer function gets called which collects information from various browsers, software, and hardcoded directories, as shown in the screenshot below.įig 7. This allows it to bypass antivirus and string-based detection.īlackGuard checks for the infected device country by sending a request to “” and exits itself if the device is located in the Commonwealth of Independent States (CIS).īlackGuard uses user32!BlockInput() which can block all mouse and keyboard events in order to disrupt attempts at debugging.įig 5. The stealer contains a hardcoded array of bytes which is decoded in runtime to ASCII strings followed by base64 decoding. Once executed, it checks and kills the processes related to antivirus and sandbox as shown in the figure below.įig 2. Currently, it is in active development and has the following capabilities: ![]() Forum thread promoting the BlackGuard stealer Technical Analysis:īlackGuard is a. In this blog, we share analysis and screenshots of the techniques this stealer uses to steal information and evade detection using obfuscation, as well as techniques used for anti-debugging.įig 1. Blackguard is currently being sold as malware-as-a-service with a lifetime price of $700 and a monthly price of $200.īlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients. While recently perusing one of these hacking forums during regular research activities, the Zscaler ThreatLabz team came across BlackGuard, a sophisticated stealer, advertised for sale. Malware-as-a-service has contributed substantially to the growth of ransomware and phishing attacks (among other attack types) in the past year, as they lower the technical barrier to entry for criminals to carry out attacks. Hacking forums often double up as underground marketplaces where cybercriminals buy, rent, and sell all kinds of malicious illegal products, including software, trojans, stealers, exploits, and leaked credentials.
0 Comments
Leave a Reply. |