A brand new malware marketing campaign has been noticed utilizing malicious OpenBullet configuration information to focus on inexperienced cybercriminals. The purpose of the marketing campaign is to ship a distant entry trojan (RAT) able to stealing delicate info. Kasada, a bot mitigation firm, describes the exercise as superior risk actors “preying on beginner hackers.” OpenBullet is a professional open-source pen-testing software used for automating credential stuffing assaults. The configurations, that are primarily executable code, are traded and offered inside legal communities, enabling even much less refined hackers to launch their very own assaults.
The marketing campaign found by Kasada includes malicious configs shared on a Telegram channel, which attain out to a GitHub repository to retrieve a Rust-based dropper referred to as Ocean. This dropper fetches the next-stage payload from the identical repository. The payload, a Python-based malware referred to as Patent, deploys a distant entry trojan that makes use of Telegram as a command-and-control mechanism. It can seize screenshots, checklist listing contents, steal passwords and cookies from Chromium-based net browsers, and exfiltrate crypto pockets info.
The trojan additionally features as a clipper, monitoring the clipboard for cryptocurrency pockets addresses. It substitutes contents matching a predefined common expression with an actor-controlled tackle, resulting in unauthorized fund transfers. The adversary behind the marketing campaign has obtained $1,703.15 in two Bitcoin pockets addresses over the previous two months, which had been subsequently laundered.
The researchers imagine that the distribution of the malicious OpenBullet configs inside Telegram is a novel an infection vector. They imagine that the marketing campaign targets legal communities that steadily use cryptocurrencies, presenting a chance for attackers to acquire funds, accounts, or entry from these communities.