A new malicious campaign, Editbot Stealer, was discovered in which threat actors use WinRAR archive files with minimal detection to perform a multi-stage attack.
The malicious WinRAR archive used by the threat actors consists of a.bat file and a JSON file for initial stage attacks, followed by some Powershell commands for further stages.
The distribution of these malicious files was done through social media.
This BAT file is used to regularly execute the Python stealer, which is downloaded later in the attack stage.
The Python stealer consists of sophisticated programming code that performs several functions, including extracting the country code, IP address, and timestamp of the victims, along with the credential-stealing activities associated with several browsers.
This stealer extracts multiple pieces of information, such as cookies, login data, web data, and local state, from the browser profile folder and stores them inside the %temp% folder.
After collecting all the information from the victim, the stealer creates a ZIP archive of all the extracted information and stores them inside the same %temp% directory.
To exfiltrate this information, the threat actors have set up telegram bots.
A complete report about the Editbot stealer has been published, which provides detailed information on the source code, extraction method, and other information.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 12 Dec 2023 13:20:21 +0000