May 28, 2023

Zscaler ThreatLabz team came across BlackGuard, a sophisticated stealer, advertised for sale. Blackguard is currently being sold as malware-as-a-service with a lifetime price of $700 and a monthly price of $200.

BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.

Advertisements

BlackGuard is a .NET stealer packed with a crypto packer. Currently, it is in active development and has the following capabilities:

  • Anti-detection
  • Obfuscation
  • Anti-CIS
  • Anti-debug
  • Stealing functions
  • Cryptocurrency wallets
  • C2 Exfilteration

Targeted Applications:

Browsers:

Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Edge, BraveSoftware.

Crypto Wallets:

AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi.

Crypto Wallet Extensions:

Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx.

Email Clients:

Outlook

Other Applications:

NordVPN, OpenVPN, ProtonVpn, Totalcomander, Filezilla, WinSCP, Steam

Advertisements

Messengers:

Telegram, Signal, Tox, Element, Pidgin, Discord

Despite its capabilities, Zscaler team also reports that BlackGuard is not as broad as other stealers but has grown as a threat because “it continues to be improved and is developing a strong reputation in the underground community.” Administrators and security teams can combat the risks by implementing good password hygiene, multi-factor authentication, and instructing users not to visit or open unknown sites or files.

Indicators of Compromise

  • 4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac
  • c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66
  • 7f2542ed2768a8bd5f6054eaf3c5f75cb4f77c0c8e887e58b613cb43d9dd9c13
  • f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
  • bbc8ac47d3051fbab328d4a8a4c1c8819707ac045ab6ac94b1997dac59be2ece
  • f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
  • ead17dee70549740a4e649a647516c140d303f507e0c42ac4b6856e6a4ff9e14
  • 1ee88a8f680ffd175943e465bf85e003e1ae7d90a0b677b785c7be8ded481392
  • 71edf6e4460d3eaf5f385610004cfd68d1a08b753d3991c6a64ca61beb4c673a
  • e08d69b8256bcea27032d1faf574f47d5412b6da6565dbe52c968ccecea1cd5d

Leave a Reply

%d bloggers like this: