A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control (C2). The malware targets as many as 38 different web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. According to cybersecurity company Uptycs, once the malware infects a victim’s computer, it retrieves sensitive data and sends it to a Telegram server where the attackers can access it immediately.
Capturing Valuable Login Credentials
Zaraza bot, a 64-bit binary file compiled using C#, is the latest example of malware capable of capturing login credentials associated with online bank accounts, cryptocurrency wallets, email accounts, and other valuable websites. Stolen credentials pose a serious risk, allowing threat actors to gain unauthorized access to victims’ accounts and conduct identity theft and financial fraud.
Evidence gathered by Uptycs points to Zaraza bot being offered as a commercial tool for other cybercriminals for a subscription. The exact method of malware propagation is currently unclear, but information stealers have typically leveraged several methods such as malvertising and social engineering in the past.
Recent Malware Campaigns
The discovery of Zaraza bot comes as eSentire’s Threat Response Unit (TRU) disclosed a GuLoader (aka CloudEyE) campaign targeting the financial sector via phishing emails, using tax-themed lures to deliver information stealers and remote access trojans (RATs) like Remcos RAT. Additionally, there has been a spike in malvertising and search engine poisoning techniques to distribute various malware families by enticing users searching for legitimate applications into downloading fake installers containing stealer payloads.
To reduce risks associated with stealer malware, it is recommended that users enable two-factor authentication (2FA) and apply software and operating system updates as they become available. Russian cybersecurity firm Kaspersky also recently revealed the use of trojanized cracked software downloaded from BitTorrent or OneDrive to deploy CueMiner, a .NET-based downloader that acts as a conduit to install a cryptocurrency miner called SilentCryptoMiner.