Stealing Browser Passwords & Cookies

Stealing Browser Passwords & Cookies

Last Updated: December 13, 2023By

New Editbot Stealer in Action; Stealing Browser Passwords & Cookies

A new malicious campaign, Editbot Stealer, was discovered in which threat actors use WinRAR archive files with minimal detection to perform a multi-stage attack. Threat actors have been utilizing the theme of “defective product to be sent back” to lure users to their deceptive websites.

However, the malicious WinRAR archive used by the threat actors consists of a .bat file and a JSON file for initial stage attacks, followed by some Powershell commands for further stages. The distribution of these malicious files was done through social media.

Editbot Stealer in Action

Initial Access & Persistence

According to the reports shared with Cyber Security News, the BAT file used in the initial stages of the attack goes by the name “Screenshot Product Photo Sample.bat†containing multiple Powershell commands for downloading and executing additional payloads.

RAR file containing the BAT and JSON files (Source: Cyble)
RAR file containing the BAT and JSON files (Source: Cyble)

The first PowerShell command inside the BAT file downloads another BAT file from Gitlab and saves it under the name “WindowsSecure.bat†in the startup folder for persistent execution. This BAT file is used to regularly execute the Python stealer, which is downloaded later in the attack stage.

The second PowerShell command retrieves a ZIP file named “Document.zip†from the same GitLab repository and saves it in the C:\Users\Public directory. The third powershell command extracts this ZIP file into the C:\Users\Public\Documents directory containing the python stealer “libb1.pyâ€.

Working of the Python Stealer – Editbot

The Python stealer consists of sophisticated programming code that performs several functions, including extracting the country code, IP address, and timestamp of the victims, along with the credential-stealing activities associated with several browsers.

This stealer extracts multiple pieces of information, such as cookies, login data, web data, and local state, from the browser profile folder and stores them inside the %temp% folder. All of the stolen information is stored in a text file named “pass.txtâ€.

After collecting all the information from the victim, the stealer creates a ZIP archive of all the extracted information and stores them inside the same %temp% directory. To exfiltrate this information, the threat actors have set up telegram bots.

Furthermore, a complete report about the Editbot stealer has been published, which provides detailed information on the source code, extraction method, and other information.

Indicators of Compromise

Indicators Indicator Type Details
fd8391a1a0115880e8c3ee2e76fbce741f1b3c5fbcb728b9fac37c21e9f6d7b7 feff390b99dfe7619a20748582279bc13c04f52aca5bee4607ddd920729e5c2b4fc89bbc SHA256 SHA1MD5 Screenshot-Product-Photo-Sample_25929.rar
d13aba752f86757de6628e833f4fdf4c625f480056e93b919172e9c309448b80 18e96d94089086848a0569a1e1d8051da0f6f444e9e4cd111cadcf94c469365354df3fdc SHA256 SHA1MD5 Screenshot Product Photo Sample.bat
3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d eed59a282588778ffbc772085b03d229a5d99e35669e7ac187fb57c4d90b07d9a6bb1d42 SHA256 SHA1MD5 Python stealer (libb1.py)
9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0 93d70f02b2ee2c4c2cd8262011ed21317c7d92def23465088d26e90514b5661936016c05 SHA256 SHA1MD5 product-_img_2023-12_86-13a30f_13373.rar
bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa cf019e96e16fdaa504b29075aded36be27691956c3a447c5c6c73d80490347c1b4afe9d5 SHA256 SHA1MD5 image – photo_product _2023-12_86-13a30ff503fd6638c5863dta.bat

Source link

Leave A Comment