To catch a cybercriminal, you need to think like a cybercriminal.
Kasada has discovered a new campaign that uses malicious OpenBullet configuration files to infect inexperienced cybercriminals with a Remote Access Trojan (RAT) capable of stealing confidential information.
OpenBullet is a legitimate open source penetration testing tool used to automate credential stuffing attacks. The program accepts a website-specific configuration file and can combine it with a password list obtained through other means to log successful attempts.
The popularity of OpenBullet began to grow rapidly since April 2019, when attackers realized the value of the tool. Configurations, which are a piece of executable code for generating HTTP requests to a target website or web application, are freely sold on the dark web. Therefore, even low-skilled script kiddies can carry out attacks using OpenBullet.
OpenBullet attack chain
Using configuration files, this campaign targets other cybercriminals looking for configuration files on hacker forums. The detected campaign uses malicious configurations posted to the Telegram channel to access a GitHub repository to download a Rust-based dropper called "Ocean" designed to pull the next stage payload from the same repository.
The executable (Python-based malware called "Patent") ends up launching a RAT trojan that uses Telegram as a command and control (C2) server and does the following:
Target browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and mincoin.
The Trojan also functions as a clipper to replace the wallet address of the recipient of the cryptocurrency with the address of the attacker, which leads to unauthorized transfers of funds.
Two bitcoin wallet addresses controlled by the attacker received a total of $1,703 over the past two months, which were subsequently laundered through the anonymous Fixed Float crypto exchange.
The distribution of malicious OpenBullet configurations in Telegram is a new infection vector that seems to target criminal communities due to the frequent use of cryptocurrencies by criminals. Such attacks give attackers the opportunity to tailor their tools to a specific target group and steal funds and victim accounts.
Kasada has discovered a new campaign that uses malicious OpenBullet configuration files to infect inexperienced cybercriminals with a Remote Access Trojan (RAT) capable of stealing confidential information.
OpenBullet is a legitimate open source penetration testing tool used to automate credential stuffing attacks. The program accepts a website-specific configuration file and can combine it with a password list obtained through other means to log successful attempts.
The popularity of OpenBullet began to grow rapidly since April 2019, when attackers realized the value of the tool. Configurations, which are a piece of executable code for generating HTTP requests to a target website or web application, are freely sold on the dark web. Therefore, even low-skilled script kiddies can carry out attacks using OpenBullet.
OpenBullet attack chain
Using configuration files, this campaign targets other cybercriminals looking for configuration files on hacker forums. The detected campaign uses malicious configurations posted to the Telegram channel to access a GitHub repository to download a Rust-based dropper called "Ocean" designed to pull the next stage payload from the same repository.
The executable (Python-based malware called "Patent") ends up launching a RAT trojan that uses Telegram as a command and control (C2) server and does the following:
- capture screenshots;
- displaying the contents of a directory;
- completion of tasks;
- theft of information about the crypto wallet;
- stealing passwords and cookies from Chromium-based web browsers.
Target browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and mincoin.
The Trojan also functions as a clipper to replace the wallet address of the recipient of the cryptocurrency with the address of the attacker, which leads to unauthorized transfers of funds.
Two bitcoin wallet addresses controlled by the attacker received a total of $1,703 over the past two months, which were subsequently laundered through the anonymous Fixed Float crypto exchange.
The distribution of malicious OpenBullet configurations in Telegram is a new infection vector that seems to target criminal communities due to the frequent use of cryptocurrencies by criminals. Such attacks give attackers the opportunity to tailor their tools to a specific target group and steal funds and victim accounts.
