A recent malware campaign has been spotted using malicious OpenBullet configuration files to target inexperienced cybercriminals, aiming to deliver a remote access trojan (RAT) capable of stealing sensitive data.
Kasada, a company specializing in bot mitigation, has identified this activity as an attempt to exploit novice hackers by infiltrating trusted criminal networks.
What’s OpenBullet?
OpenBullet, a legitimate open-source tool for penetration testing, is being misused for credential-stuffing attacks. It uses a configuration file tailored to a specific website and a password list to automate login attempts without dealing with browser pop-ups.
These configuration files are shared and sold in criminal communities, making launching attacks easier for less experienced criminals. This trend might indicate that the users of OpenBullet could be more sophisticated or simply reflect the efficient division of labor on the dark web.
It’s not that simple…
This adaptability also creates a new vulnerability. The campaign discovered by Kasada utilizes malicious configurations shared on a Telegram channel to access a GitHub repository. From there, it retrieves a Rust-based dropper named Ocean, which fetches the next-stage payload from the same repository.
The resulting Python-based malware, Patent, then deploys a remote access trojan using Telegram for command and control. This trojan carries out instructions to capture screenshots, list directory contents, exfiltrate crypto wallet details, and steal passwords and cookies from various web browsers.
What’s more?
The affected browsers and crypto wallets encompass Brave, Google Chrome, Microsoft Edge, Opera, and others. The trojan also functions as a clipper, monitoring the clipboard for cryptocurrency wallet addresses and replacing them with unauthorized addresses, leading to unauthorized fund transfers.
The adversary behind this operation has received $1,703.15 in two months through Bitcoin wallet addresses, which were subsequently laundered using an anonymous crypto exchange known as Fixed Float.
“The malware targets multiple cryptocurrency wallets and directories. The malware walks the filesystem, compressing directories and wallets relating to cryptocurrencies and encrypting the compressed zip file before exfiltrating the content. The zip files are encrypted using the native Python zip file library, using the method zipfile.setpassword(). The code contains a hardcoded password that can be used to encrypt and decrypt the zip file,” according to researchers at Kasada.
Just a thought: Do thieves trust thieves?
The distribution of these malicious OpenBullet configurations through Telegram is a unique way of infection, targeting these criminal communities due to their frequent use of cryptocurrencies.
This allows attackers to tailor their attacks to specific groups and potentially gain access to funds, accounts, or other valuable information.
PureVPN
August 9, 2023
2 years ago
