HQ/EMEAFind out how we can help your business
Researchers uncovered a new malware operation that uses OpenBullet to deploy remote access trojan onto a targeted device. Based on reports, the campaign started from experienced threat actors that target wannabe hackers that primarily use read-made scripts and utilities.
OpenBullet is a legitimate open-source pen-testing kit for automating credential-stuffing operations. Investigations showed that the tool could efficiently attempt website logins by leveraging configuration files and stolen passwords from previous attacks.
Moreover, the pen-testing tools complement a headless browser called Puppeteer, which hackers employ to automate web interactions. Hence, this feature removes the hassle of dealing with intrusive browser windows and simplifies the process of deploying credential-stuffing campaigns.
The OpenBullet operators use Telegram to execute their operations.
The threat actors share the OpenBullet configuration with novice hackers through a Telegram channel. These configurations link to a GitHub repository to acquire a Rust-based dropper that could recover an additional payload component from the same repository.
Subsequently, the Python-based malware, Patent, which is the executable component, will launch a RAT. Researchers explained that the threat operators of the new attack had earned about $1,700 worth of cryptocurrency assets during the last two months of operation across two Bitcoin wallet addresses.
The Patent RAT employs a Telegram channel as its command-and-control mechanism. It runs prompts for executing different actions, such as listing directory contents, terminating tasks, capturing screenshots, and stealing crypt wallet details, saved passwords, and cookies from Chromium-based browsers.
Furthermore, the confirmed browsers and crypto wallets that could also fall victim to the new operation include MS Edge, Brave, Google Chrome, Opera, Opera GX, Yandex, Atomic, Opera Crypto, Electron Cash, Dash Core, Electrum, Electrum-LTC, Exodus, Ethereum Wallet, Jaxx Liberty, Mincoin, and Litecoin Wallet.
Lastly, the remote access trojan could also be a clipper that monitors the clipboard for crypto wallet addresses. The RAT replaces contents corresponding to a predefined pattern with an attacker-controlled address, aiding unauthorised fund transfers.
Cybercriminals that target other groups of actors have happened numerous times before. Cybersecurity experts noted that the more experienced cybercriminals will always get an advantage since they could create tactics like the earlier-mentioned campaign to target newcomers on the threat landscape.
