Zscaler ThreatLabz team came across BlackGuard, a sophisticated stealer, advertised for sale. Blackguard is currently being sold as malware-as-a-service with a lifetime price of $700 and a monthly price of $200.
BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.
BlackGuard is a .NET stealer packed with a crypto packer. Currently, it is in active development and has the following capabilities:
- Anti-detection
- Obfuscation
- Anti-CIS
- Anti-debug
- Stealing functions
- Cryptocurrency wallets
- C2 Exfilteration
Targeted Applications:
Browsers:
Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Edge, BraveSoftware.
Crypto Wallets:
AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi.
Crypto Wallet Extensions:
Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx.
Email Clients:
Outlook
Other Applications:
NordVPN, OpenVPN, ProtonVpn, Totalcomander, Filezilla, WinSCP, Steam
Messengers:
Telegram, Signal, Tox, Element, Pidgin, Discord
Despite its capabilities, Zscaler team also reports that BlackGuard is not as broad as other stealers but has grown as a threat because “it continues to be improved and is developing a strong reputation in the underground community.” Administrators and security teams can combat the risks by implementing good password hygiene, multi-factor authentication, and instructing users not to visit or open unknown sites or files.
Indicators of Compromise
- 4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac
- c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66
- 7f2542ed2768a8bd5f6054eaf3c5f75cb4f77c0c8e887e58b613cb43d9dd9c13
- f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
- bbc8ac47d3051fbab328d4a8a4c1c8819707ac045ab6ac94b1997dac59be2ece
- f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
- ead17dee70549740a4e649a647516c140d303f507e0c42ac4b6856e6a4ff9e14
- 1ee88a8f680ffd175943e465bf85e003e1ae7d90a0b677b785c7be8ded481392
- 71edf6e4460d3eaf5f385610004cfd68d1a08b753d3991c6a64ca61beb4c673a
- e08d69b8256bcea27032d1faf574f47d5412b6da6565dbe52c968ccecea1cd5d
