cyble.com
Open in
urlscan Pro
2606:4700:20::681a:6b1
Public Scan
Submitted URL: http://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/
Effective URL: https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/
Submission: On August 15 via api from DE — Scanned from DE
Effective URL: https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/
Submission: On August 15 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://cyble.com/
<form role="search" method="get" class="search-form" action="https://cyble.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s" tabindex="-1">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
The Q2-2023 Ransomware Report is Now Available. Download Now
The Q2-2023 Ransomware Report is Now Available. Download Now
Report an Incident | Get Support
* Home
* ProductsMenu Toggle
* Cyble Vision
* AmIBreached
* Cyble Hawk
* Cyble Odin
* The Cyber Express
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
Talk to Sales
Schedule a Demo
Schedule a Demo
CYBLE IS NOW A SERIES B COMPANY. LEARN MORE
Main Menu
* Home
* ProductsMenu Toggle
* Cyble Vision
* AmIBreached
* Cyble Hawk
* Cyble Odin
* The Cyber Express
* SolutionsMenu Toggle
* Function WiseMenu Toggle
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web & Deep Web
* Vulnerability Management
* Takedown and Disruption
* Industry WiseMenu Toggle
* Financial Services
* Retail and CPG
* Healthcare & Pharmaceuticals
* Technology Industry
* Educational Platform
* Role WiseMenu Toggle
* Information Security
* Corporate Security
* Marketing
* ResourcesMenu Toggle
* Blog
* Case Studies
* Research Reports
* Whitepapers
* SAMA Compliance
* Press
* Careers
* PartnersMenu Toggle
* Partner Network
* Partner Login
* Become a Partner
* About Us
LUMMAC STEALER LEVERAGING AMADEY BOT TO DEPLOY SECTOPRAT
August 11, 2023
KEY TAKEAWAYS
* The blog delves into a new infection approach to disseminating the SectopRAT
final payload.
* Providing insight into LummaC stealer and its method of procuring the Amadey
bot malware.
* The Amadey bot replicates itself to ensure persistence, generating an LNK
file within the startup folder directory. Upon being started, this LNK file
triggers the execution of the duplicated instance of the Amadey.
* Execution of the Amadey bot retrieves the SectopRAT payload through
downloading, subsequently running within the victim’s system.
EXECUTIVE SUMMARY
LummaC, an information stealer, is being distributed through a
Malware-as-a-Service (MaaS) model on Russian-speaking forums. This malware is
designed to pilfer sensitive data from infected devices. Among the data targeted
are cryptocurrency wallets, browser extensions, two-factor authentication codes,
and various files. The Threat Actors (TAs) accountable for this malware have
consistently introduced improved iterations of LummaC. This new iteration boasts
several additional features, including the ability to load other malware files
(introduced in version 19.07) while the main information-stealing malware is
executing on the victim’s system, as mentioned in the image below.
Figure 1 – New Loader feature of LummaC stealer mentioned in the TA’s Telegram
channel
Cyble Research & Intelligence Labs (CRIL) has recently come across a novel
approach for spreading SectopRAT. This technique entails delivering the
SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from
the LummaC stealer, as illustrated in the figure below.
Figure 2 – Infection chain
Detailed information about these techniques can be discussed in the Technical
Analysis section.
INITIAL INFECTION
In most cases, the LummaC Stealer has been disseminated through phishing
websites that impersonate genuine software sources, as well as via
spear-phishing emails.
Historically, the LummaC stealer distributed through deceptive websites like
counterfeit Microsoft Sysinternals Suite. It also aimed at YouTubers by
employing spear-phishing emails and was further disseminated by masquerading as
illicit software cracks.
TECHNICAL ANALYSIS
We’ve encountered several ZIP files in the wild that seem to contain the LummaC
stealer malware. It’s possible that these files are being distributed through a
YouTube campaign disguised as software setup files. A few examples of these
filenames include:
• Newest_Setup_123_UseAs_PassKey.zip
• Latest_Setup_Use__PassWord__224466.zip
• Latest_Setup_Use_224466_As_PassCode.zip
• Latest_Setup_Use__PassWord__224466.zip
• New_PC_Setup_PassWord_UseAs_224466.zip
• $#E-R1-Setup-Password-123.zip
• Active_Setup_113355_UseAs_PassKey.zip
• Setup_123_Passwords_Open_App.zip
• Passw0rdz_113355_Open_Setup_App.zip
• Active_Setup_With_224466_PassWord.zip
These files appear to have been deliberately named in a way that could attract
users, potentially tricking them into running the contained malware. In this
technical analysis, we analyzed a sample named
“Active_Setup_With_224466_PassWord.zip.”
The SHA-256 hash of this ZIP archive file is
7b5500ada0bf017d0bac84b181076ebfd7220693748b9ca634f06271837edfb7.
The image below illustrates the contents of a ZIP archive featuring two
directories named “Common Files” and “HMService.” These directories encompass
numerous legitimate DLL files, while the ZIP archive itself contains an
executable called “Setup.exe.” Importantly, the “Setup.exe” serves as a payload
for the LummaC Stealer executable.
Figure 3 – Content of ZIP archive file
The LummaC Stealer file (“Setup.exe,”), which is identified by its SHA256 hash:
f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144. This
particular binary file is a 32-bit GUI-based .NET Reactor executable.
LUMMAC STEALER
LummaC Stealer is malware designed to gather sensitive information from
compromised devices illicitly. This includes a variety of data, such as
cryptocurrency wallets, browser extensions, two-factor authentication codes, and
files. LummaC Stealer is offered as a service by its creators, available on
underground forums and Telegram channels primarily used by Russian speakers
since at least August 2022. The seller of this software has been actively
marketing LummaC Stealer since April 2022, releasing new versions and responding
to questions on underground forums, Telegram channels, and a dedicated website.
According to the information provided by TAs, LummaC2 represents a next-gen
stealer with an impressive success rate. Notably, it operates effectively even
on clean systems, devoid of any dependencies whatsoever. Its key features
include server-based log decryption. LummaC2 specializes in pilfering data from
Chromium and Mozilla-derived browsers, encompassing about 70 browser-based
cryptocurrencies and 2FA extensions. The toolkit encompasses a non-resident
Loader, a dynamic low-level file grabber, and the latest innovation, the BINARY
MORPHER.
When the “Setup.exe” is executed, it initiates the process of injecting the
malicious LummaC Stealer content into the memory of “RegAsm.exe”, as shown
below.
Figure 4 – LummaC stealer process tree
Once successfully installed on a targeted system, LummaC Stealer orchestrates
covert operations to collect important system details, such as operating system
version, hardware identifiers, CPU specifications, RAM details, screen
resolution, and system language. With this information, the malware extracts
sensitive data from designated applications, concentrating on web browsers,
cryptocurrency wallets, two-factor authentication extensions, and others.
The figure below displays memory content within RegAsm.exe, containing strings
associated with the URL of the LummaC Stealer’s command-and-control server.
Figure 5 – LummaC C&C strings present in RegAsm memory
LummaC Stealer’s impact is significant, spanning various web browsers such as
Chrome, Mozilla Firefox, Microsoft Edge, and others. Within these environments,
the stealer gains access to browsing histories, internet cookies, login details,
personal data, credit card information, and other valuable data.
After gathering all the sensitive information from the targeted system, the
stealer encrypts the collected data and sends it to the C&C server, as depicted
in the image below.
* hxxp[:]//exitlife[.]xyz/c2sock
Figure 6 – LummaC C&C communication
CRIL has already published a comprehensive blog post offering a detailed
examination of LummaC Stealer. The blog can be accessed here.
Furthermore, the LummaC Stealer retrieves the Amadey bot malware by downloading
it from the following URL, as depicted in the below figure.
* hxxp[:]//africatechs[.]com/Amdaygo[.]exe
Figure 7 – Presence of Amadey payload URL in LummaC memory
AMADEY BOT
Amadey Bot is a type of malware that was identified in 2018. It can carry out
tasks like exploring compromised systems, gathering data, and loading additional
malicious payloads. During its early stages, it was disseminated through exploit
kits. TAs used it to introduce different types of malware, including the
GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan (RAT). In 2022,
associates linked to the LOCKBIT group employed the Amadey bot to distribute
ransomware to their targets.
The Amadey bot, once retrieved by the LummaC Stealer, is saved and executed
within the Temp directory with the below-specified filename:
* C:\Users\user\AppData\Local\Temp\hhwjilxtgukpvvhbpo.exe
The Amadey bot is a 32-bit GUI type .NET Reactor executable with sha256
d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c.
After being executed, the Amadey malware copies itself to the following location
and executes it.
* C:\Users\user\Videos\edddegyjjykj.exe
Additionally, it creates an LNK file that, when clicked, executes the dropped
copy of itself “edddegyjjykj.exe” file. This LNK file is dropped into the below
startup folder location to maintain persistence.
* C:\Users\user\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\edddegyjjykj.lnk
During the execution, Amadey establishes communication with its C&C server,
regularly transmitting system details such as OS version, architecture,
username, installed antivirus software, etc. Additionally, it queries the server
to receive instructions. The primary feature of Amadey is its capability to
deploy other payloads to all compromised computers or selectively to those
targeted by the malware.
The below figure illustrates the malware sending system information to the C&C
server through the following URL:
* hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php
Figure 8 – Amadey exfiltration
CRIL has previously released an extensive blog post that provides an in-depth
analysis of Amadey Bot. It can be accessed here.
Moreover, the malware downloads an additional malicious payload from the
following URL, as mentioned in the figure below.
* hxxp[:]//patriciabono[.]com/BRR[.]exe
Figure 9 – Amadey C&C communication
The image below depicts the malware’s memory content, including strings related
to the Amadey bot’s C&C server, as well as the URL for the SectopRAT payload.
Figure 10 – Presence of SectopRAT payload URL in Amadey memory
SECTOPRAT
SectopRAT (aka Arechclient) is a Remote Access Trojan (RAT) built using the .NET
compiler. It boasts a wide array of functionalities, including the pilfering of
browser data and cryptocurrency wallet details. It can establish a concealed
secondary desktop, which it uses to oversee and manipulate browser sessions.
Notably, SectopRAT is equipped with Anti-VM and Anti-Emulator mechanisms
intended to complicate malware analysis. These techniques alter the malware’s
behavior within environments designed for analysis, making it challenging to
discern its true malicious nature.
After being downloaded by Amadey, the SectopRAT is stored and executed in the
Temp directory using the below folder and filename:
* C:\Users\user\AppData\Local\Temp\1000349051\BRR.exe
The SectopRAT is a 32-bit executable, protected using the Themida packer, and
its SHA256 is 501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4.
Once the “BRR.exe” is executed, the malware begins scanning through the target
system’s directories. It aims to retrieve sensitive data from files such as
“Cookies,” “Local State,” “Login Data,” and “Web Data.” These files are sourced
from a diverse array of over 35 web browsers, gaming platforms, and other
software applications that have been installed on the compromised system.
The following figure illustrates the browsers, games, email clients, and other
software that the malware focuses on to extract sensitive information.
Figure 11 – SectopRAT target application list to steal sensitive information
Furthermore, it can steal important details from various cryptocurrency wallets
such as Atomic, Exodus, Electrum, and Daedalus Mainnet. The malware has the
capability to not only access cryptocurrency wallets through specific
directories but it can also retrieve data from crypto wallet browser extensions,
as mentioned in the table below.
ckpaelocniggkheibcacecnmmlmeodfa CryptoBit ibnejdfjmmkpcnlpebklmnkoeoihofec
TronLink fhbohimaelbohpjbbldcngcnapndodjp Binance Wallet
nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask
SectopRAT connects to the C&C server for communication using the below IP:Port,
* 95[.]143[.]190[.]57:15648
The below image depicts the activity associated with the initialization string.
This string acted as a signal that the encryption status for the malware’s
operations had been switched to “on” within the compromised system.
Figure 12 – SectopRAT memory strings
Figure 12 – SectopRAT memory strings
CONCLUSION
The deliberate introduction of multiple malware strains strategically enhances
the capabilities and control of the threat actors (TAs) over the compromised
system. This integration empowers them to carry out a diverse range of malicious
activities, starting from the initial breach and extending to data extraction
and the potential for remote control access. Through these intricate maneuvers,
the likelihood of evading detection is heightened, allowing for a prolonged
presence within the system and effectively achieving their malicious goals.
The most recent iteration of LummaC stealer now possesses the capability to load
additional malware into the targeted system. In this particular campaign, LummaC
stealer is utilized to retrieve and install the Amadey bot, recognized for its
tasks involving system assessment, data theft, and the deployment of
supplementary malicious payloads. Subsequently, the Amadey bot is executed to
fetch SectopRAT, a .NET Remote Access Trojan recognized for its diverse
functionalities, including various undetected methods.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
* Implement sophisticated email filtering solutions to detect and prevent spam,
phishing attempts, and malicious emails.
* Refrain from accessing links and attachments from unfamiliar or untrusted
sources. Always confirm the credibility of the sender before engaging with
links or attachments
* Download and install software applications solely from reputable and
well-established sources. Avoid obtaining software from online sources that
lack credibility or verification.
* Install a reliable antivirus and comprehensive internet security suite on all
devices. Regularly update and scan for potential threats to ensure ongoing
protection.
* Utilize URL filtering tools to block access to known malicious websites and
domains. Prevent users from inadvertently downloading malware from dangerous
URLs.
* Conduct periodic cybersecurity training sessions for employees. Educate them
about the latest threats, phishing tactics, and the risks of email
attachments and links.
* Emphasize the importance of not downloading or executing files from unknown
sources. Raise awareness about the potential consequences of interacting with
suspicious content.
* Set up network-level monitoring to detect unusual activities or data
exfiltration by malware. Block suspicious activities to prevent potential
breaches.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Execution T1204
T1047 User Execution
Windows Management Instrumentation Persistence T1547.001 Registry Run Keys /
Startup Folder Privilege Escalation T1055 Process Injection Defense Evasion
T1497
T1027
T1562T1027.002T1140
T1620 Virtualization/Sandbox Evasion
Obfuscated Files or Information
Disable or Modify ToolsSoftware Packing
Deobfuscate/Decode Files or Information
Reflective Code Loading Credential Access T1003
T1056 OS Credential Dumping
Input Capture Discovery T1057
T1012
T1082
T1083
T1518.001 Process Discovery
Query Registry
System Information Discovery
File and Directory DiscoverySecurity Software Discovery Collection T1005 Data
from Local System C&C T1071
T1573
T1105 Application Layer Protocol
Encrypted Channel
Ingress Tool Transfer
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator
Type Description 507bddfabd74a3d024b2ad5f67d666ea
78eac92e0040e033406e6786b58b8a367fe171fa
f85d8adf012c96a63fcb989b8b0e71894b12b769ce78f6a62064a4002954b144 MD5
SHA1
SHA256
LummaC
Stealer exe 952d825a264745bb52b6977ba5983568
627a0a841c2fe194dd54f9ec6b0c1231d7da135f
d35d55bb74a7cf4349e2fa4a92839e2a88f17a1fee9725801d0d97b2bf0d311c MD5
SHA1
SHA256
Amadey Bot
exe f290ed868caae994bbfae1b63aca1d28
5ac7b60e56281dc0c72f7c1125b165867df56ed9
501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4 MD5
SHA1
SHA256
SectopRAT
exe hxxp[:]//exitlife[.]xyz/c2sock URL LummaC stealer C&C
hxxp[:]//africatechs[.]com/Amdaygo[.]exe URL Amadey
Payload URL hxxp[:]//45[.]9[.]74[.]182/b7djSDcPcZ/index[.]php URL Amadey C&C
hxxp[:]//patriciabono[.]com/BRR[.]exe URL SectopRAT Payload URL
95[.]143[.]190[.]57:15648 IP:Port SectopRAT C&C
ca21c5b129c001c2b51359d5f74c0a99667028810623b779190b13f0de86369e
929f7b467d96d8d9c73bfa9b8adf758c1b3993c9438f23368c69e1201beea622
515ab212127cc722326043d77dda60943145798bfe8b17178937a254989367f1
0d8dee5e24500219f037e673324479f22cc5649c2aafdfe47b35375b6b76e60b
e0ac5909e219d4527691ea695185313376a0ccb075907b1deecd4e2aeae42cba
9252e999b76b9628ad0942df2649e1203ca078d1b45dab6a8f1ede3e22b99625
51cb8641ed75c5037fa657ed2aa33c71350e01f5f949054f17582ca41c260280
f819a1d2234c2755a8dc844f89e765de56c1c927f3964a1453961cec4fd38bae
SHA256 Similar
LummaC Stealer
exe files 0539d46a6e61dd3ce32a4b41c0554f925f4b26054c49451accec7ccad0409846
2c256a4a1ac022bcd3784d19e66934056015e20b49d58238ce4f3dfb37bfd98d SHA256 Similar
Amadey
exe files a3ceda3ef0a7b72145124def334dd3fa337614a1170960826016996151188fc5
033cafb9fcd3d50d858164c117ee2a1c9e7fe95b4d027315bc9d1186e655d583
81f4e0d6a70f14c3e07241196bd7f5318e302c28c64ca4bb876f4e25fbc3e5d2
ffd45c2b562d30113cb9a4823025a9a162503017e9d81fd96ddb5b98e5bb89bd
501444c9d25c15ca62bafe062b6bb8a3b3f69f0ca13aff057e3b8b1a0595f3a4
fb553e12381d42a612c713968078424201794a35fd13c681ae7faa77bf18e553
641710df66c792439f85b79879a268caa17b78ea0bf6924369fa6131fda01cd5
SHA256 Similar
SectopRAT
exe files hxxp://enfantfoundation[.]com/amday[.]exe URL Similar
AmadeyPayload URL hxxp://fuji-iasi[.]ro/BRR[.]exe
hxxps://earthqik[.]co[.]za/BR[.]exe
hxxp://silversoft[.]in/BR[.]exe
hxxp://tbmcoats[.]com/BRRR[.]exe
hxxp://aviangas[.]co[.]ke/BRRRRAS[.]exe
URL Similar
SectopRAT Payload URL
ET RULES
Malware 2046637 ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request
Attempt LummaC Stealer 2039423 ET MALWARE Win32/Lumma Stealer Data Exfiltration
Attempt M1 2043206 ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
2039425 ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS Lookup
2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 Amadey Bot 2045752 ET
MALWARE Win32/Amadey Payload Request (GET) 2044623 ET MALWARE Amadey Bot
Activity (POST) 2044695 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1
2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
YARA RULES
rule LummaC_Stealer
{
meta:
author = “Cyble”
description = “Detects LummaC Stealer Files”
date = “2023-08-10”
os = “Windows”
threat_name = “LummaC Stealer”
scan_type = “Memory”
severity = 100
reference_sample =
“a53dafb72659e7aa4f36a6626b01aad9cc44500d5d4c1ee7a96c957a4e556d02”
strings:
$a = “/c2sock” ascii wide
$b = “TeslaBrowser” ascii wide
$c = “Software.txt” ascii wide
$d = “System.txt” ascii wide
$e = “/c2conf” ascii wide
condition:
all of them
}
rule AmadeyBot
{
meta:
author = “Cyble”
description = “Detects Amadey Bot Files”
date = “2023-08-10”
os = “Windows”
threat_name = “Amadey Bot”
scan_type = “Memory”
severity = 100
reference_sample =
“a58f0d4b2a0100a12eb8a5690522d79d510adafa9235d11e4b714dda8c87b341”
strings:
$a = “/index.php” ascii wide
$b = “\\MsBuild.exe” ascii wide
$c = “id=” ascii wide
$d = “&av=” ascii wide
$e = “&pc=” ascii wide
$f = “&un=” ascii wide
condition:
all of them
}
rule SectopRAT
{
meta:
author = “Cyble”
description = “Detects SectopRAT Files”
date = “2023-08-10”
os = “Windows”
threat_name = “SectopRAT”
scan_type = “Memory”
severity = 100
reference_sample =
“75e64bd57bfaad471d202d46b726473ccf2182d9d511a32304903324648a90b1”
strings:
$a = “\\User Data” ascii wide
$b = “EncryptionStatus\”,\”Status” ascii wide
$c = “BotName” ascii wide
$d = “BotOS” ascii wide
$e = “URLData” ascii wide
$f = “Web Data” ascii wide
$g = “User Data\\Local State” ascii wide
condition:
all of them
}
RELATED
THE RISE OF AMADEY BOT: A GROWING CONCERN FOR INTERNET SECURITY
Cyble Research & Intelligence Labs analyzes how Amadey bot pushes password
stealing and clipper module to infect users.
January 25, 2023
In "Trojan"
JESTER STEALER: AN EMERGING INFO STEALER
Cyble Research Labs have been actively monitoring various stealers, and recently
we came across a malware sample which turned out to be Jester Stealer. Jester
Stealer is an Info Stealer, which steals your sensitive information such as
login credentials, cookies, credit card details, etc., and sends the exfiltrated
data to…
February 24, 2022
In "Darkweb"
A CLOSER LOOK AT ETERNITY MALWARE
In this analysis, Cyble looks at the Eternity Malware suite, listing a wide
variety of malware for sale on Telegram.
May 12, 2022
In "Cryptominer"
Post navigation
← Previous Post
RELATED POSTS
DEEP DIVE ANALYSIS – BORAT RAT
32 Comments / Ransomware, Remote Access Trojan, Spyware, Trojan / By cybleinc
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a
combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
Read More »
UNDER THE LENS: EAGLE MONITOR RAT
Malware, Phishing, Remote Access Trojan, Spyware, Trojan / By cybleinc
Cyble looks at the recently resurfaced Eagle Monitor RAT and the new TTPs
encountered in this iteration of the popular RAT.
Read More »
Search for:
RECENT POSTS
* LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT
* AgentTesla Malware Targets Users with Malicious Control Panel File
* Utilization of Leaked Ransomware Builders in Tech-Related Scams
* STRRAT’s Latest Version Incorporates Dual Obfuscation Layers
* Sophisticated SiMay RAT Spreads Via Telegram Phishing Site
CATEGORIES
* 2020
* 2021
* 2022
* 2023
* Adware
* All
* Android
* Annoucement
* APK Ransomware
* APT
* Banking Trojan
* Banking Trojan
* Clipper
* Cryptocurrency
* Cryptominer
* Cyberattack
* Cybercrime
* Cyberwarfare
* Darkweb
* Data Breach
* Data Leak
* DDOS
* Elasticsearch
* Exploit
* Exploit
* Fake App
* Fraud
* General
* Hacktivism
* ICS/SCADA
* Industrial Control Systems
* Infostealer
* Malware
* OSINT
* Phishing
* Press
* Ransomware
* Red Teaming
* Remote Access Trojan
* Scam
* Spyware
* Stealer
* Tech Scam
* Telecommunications
* Trojan
* Vulnerability
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Press
* Cyble Partner Network (CPN)
* Responsible Disclosure
PRODUCTS
Main Menu
* Cyble Vision
* Cyble Hawk
* AmIBreached
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Dark Web & Deep Web
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Vulnerability Management
* Takedown and Disruption
PRIVACY POLICY
Main Menu
* Cyble Vision
* AmIBreached
© 2023. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences