AlienVault Blogs
BlackGuard stealer extends its capabilities in new variant
AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.
Key takeaways:
The malware added persistence to survive system reboot by adding itself under the “Run” registry key. (Figure 12) Figure 12. Setting registry persistence. Documents - stealth activity The malware searches and sends to its command and control all documents end with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” in the user folders (including sub directories): “Desktop”, “My Documents”, UserProfile folder. Detection methods The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. SURICATA IDS SIGNATURES 2035716: ET TROJAN BlackGuard_v2 Data Exfiltration Observed 2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Activity Associated indicators (IOCs) The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report. TYPE INDICATOR DESCRIPTION IP ADDRESS http://23[.]83.114.131 Malware command & control SHA256 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3 Malware hash Mapped to MITRE ATT&CK The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
- BlackGuard steals user sensitive information from a wide range of applications and browsers.
- The malware can hijack crypto wallets copied to clipboard.
- The new variant is trying to propagate through removable media and shared devices.
The malware added persistence to survive system reboot by adding itself under the “Run” registry key. (Figure 12) Figure 12. Setting registry persistence. Documents - stealth activity The malware searches and sends to its command and control all documents end with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” in the user folders (including sub directories): “Desktop”, “My Documents”, UserProfile folder. Detection methods The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. SURICATA IDS SIGNATURES 2035716: ET TROJAN BlackGuard_v2 Data Exfiltration Observed 2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Activity Associated indicators (IOCs) The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report. TYPE INDICATOR DESCRIPTION IP ADDRESS http://23[.]83.114.131 Malware command & control SHA256 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3 Malware hash Mapped to MITRE ATT&CK The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
- TA0001: Initial Access
- T1091: Replication Through Removable Media
- TA0002: Execution
- T1106: Native API
- T1047: Windows Management Instrumentation
- TA0003: Persistence
- T1547.001: Registry Run Keys / Startup Folder
- TA0005: Defense Evasion
- T1027: Obfuscated Files or Information
- TA0006: Credential Access
- T1003: OS Credential Dumping
- T1539: Steal Web Session Cookie
- T1528: Steal Application Access Token
- T1552: Unsecured Credentials
- .001: Credentials In Files
- .002: Credentials In Files
- TA0007: Discovery
- T1010: Application Window Discovery
- T1622: Debugger Evasion
- T1083: File and Directory Discovery
- T1057: Process Discovery
- T1012: Query Registry
- T1082: System Information Discovery
- T1497: Virtualization/Sandbox Evasion
- TA0008: Lateral Movement
- T1091: Replication Through Removable Media
- TA0009: Collection
- T1115: Clipboard Data
- T1213: Data from Information Repositories
- T1005: Data from Local System
- TA0011: Command and Control
- T1071: Application Layer Protocol
- T1105: Ingress Tool Transfer
- TA0010: Exfiltration
- T1020: Automated Exfiltration
Categories: Security Posts