Content
In today's article we will tell you about commercially available spyware Trojans, their features, functionality and methods of fighting this malware.
Selling and buying Trojans
Distribution and use of malware is a criminal offense and is punishable by severe penalties under applicable law. Don't forget about it!
N0F1L3
A stealer with such a difficult to pronounce name was actively sold on the Web until the author was not interested in stern people in uniform. The first version of the Trojan was written in .NET, the second, named N0F1L3v2, in C #. Troy specialized in stealing passwords from Chrome, Opera, Yandex, Torch, Amiga, Cometa and Orbitum browsers.
Selling the N0F1L3 Trojan
The stealer was put up for sale on several forums at a very modest price, and in two versions: for $ 15 and $ 45, respectively. The author merged the sources for $ 600. The first release required .NET 2.0 to work, carried the sqlite3.dll library with me and dropped the required file of this lib to the disk in accordance with the Windows bit depth. He saved the stolen passwords to a text file with HTML markup directly on the infected machine, and then uploaded it to the server.
The second version differed from the first by the absence of dependencies, thanks to which it could theoretically work on a clean system. In addition, she learned how to tyrit information from Firefox, which the first modification of N0F1L3 never mastered. The stealer collected cookies, autofill form data and passwords from browsers, copied files with the extensions .doc, .docx, .txt and .log from the desktop. From the popular FileZilla FTP client, it hijacked the files filezilla_recentservers.xml and filezilla_sitemanager.xml. Troy also tried to steal crypto wallets BTC, BCN, DSH, ETH, LTC, XMR, ZEC, after which he shoved all this wealth into local folders and uploaded it to the control server as an archive.
Admin panel for the N0F1L3 Trojan
N0F1L3 is equipped with an admin panel written in PHP, where you can view Trojan statistics and its logs. The author did not just sell the stealer, but also offered other commercial services related to it to anonymous users: updates, adding support for other browsers, and solving all sorts of technical problems. It is not surprising that soon well-wishers began to actively resell N0F1L3 on many popular and not very popular sites, and after the author started having problems with the law, the stealer was posted to the public. Trojan sources of varying degrees of freshness can be found on thematic boards today.
N0F1L3 detection methods
All versions of N0F1L3 and its numerous modifications are excellently scorched by antiviruses, but if you, a username, do not use them in principle, it is not at all difficult to detect the presence of a stealer in the system. An earlier modification of the Trojan saves the stolen file in the% LOCALAPPDATA% \ f.txt file, its presence will tell you exactly the fact of infection. N0F1L3v2 creates folders with meaningful names Browsers, Wallets, Files and Directory in% TEMP%, the first usually contains files with information pulled from browsers - Passwords.txt, Cookie.txt, CC.txt and Autofill.txt. N0F1L3 does not know how to hide in the system, so it is a matter of technique to burn it.
Kratos
Another "stealer-forte" by the same author, named either after a titan from Greek mythology, or after the hero of the toy God of War, which is more likely. The Trojan was almost completely rewritten in C ++, although a significant part of the functions in its code begin with anti-debugging insertion in assembler, which checks the state of the BeingDebugged field in the PEB structure. This structure is created in the memory of the process when it starts and contains information about the environment, loaded modules, and other useful data. At the byte offset ptr [rax + 2], this structure contains a flag that allows you to determine that the Trojan process is running under the debugger and terminate it.
I'm not like that!
In addition to the functions already implemented by its predecessors, Kratos can take screenshots (the picture is saved in% TEMP% under the name screenshot.bmp) and copy files from the Telegram client folder% AppData% \ Telegram Desktop \ tdata. In addition, the stealer looks at the registry looking for the [HKCU \ Software \ Valve \ Steam] branch. Having found it, by the contents of the SteamPath key, it determines the installation location of the Steam client, and then pulls the files config \ config.vdf, config \ loginusers.vdf and config \ SteamAppData.vdf from there. Kratos packs everything stolen into an archive and sends it to the management server with a POST request.
Kratos admin panel
Kratos uses the admin panel, which is generally similar to N0F1L3 (except that the default background image is not so cute). The developer himself sold his creation for 5,000 rubles, but on all well-known sites, anonymous users were quickly found, ready to give up builds for 1,500 and even a little cheaper - for a like, a sim, a review or a plus sign in a turnip. And after the author's deanon and the sad events that followed, the stealer appeared in the public and completely free. As a result, Kratos has crawled along these Internet of yours like cockroaches in a student hostel, periodically crawling out of secluded cracks here and there. The dust was ineffective, it can only be burned out with napalm.
Kratos detection methods
Antiviruses detect this Trojan once or twice. You can determine the presence of "Kratos" in the system by the presence in %TEMP% of the same folders as in N0F1L3, except that Telegram and Steam directories with quite obvious contents have been added to them.
AZORult
This is the name of a commercial stealer widely known in narrow circles, which has the widest set of functionality. The Trojan is able to steal saved passwords, form data and cookies from 33 different browsers, the names of a good half of which I first saw in the advertising description of this very stealer. The Trojan's admin panel has a special converter that allows you to view the contents of cookies in JSON format.
AZORult admin panel
AZORult can pull passwords from Outlook and Thunderbird email clients, FileZilla and WinSCP FTP clients, Pidgin and Psi / Psi + IM clients. From Skype, he is able to copy correspondence, from Telegram - session identifiers, from the Steam client - ssfn and vdf files. The list of cryptocurrencies whose wallets AZORult is able to steal is quite impressive: it has 38 names (about half of which don't tell me anything personally either, lol).
Among the capabilities of the stealer are not only banalities like taking screenshots - he also knows how to search an infected machine for files by name, size or mask with recursive bypass of nested directories, is able to collect information about the software environment and hardware configuration (including geolocation, a list of installed applications, etc. running processes), as well as download and run the specified file from the command and control server. Troy has an automatic self-deletion function after sending a report, if it is enabled in the admin panel, and is able to work with servers if they use a .bit domain. The uncompressed executable file takes about 110 KB, and under the packer it can be easily reduced to 40. Such is the combine for the price of $ 100.
Selling the AZORult Trojan
Last October, the author rolled out a Trojan update that allows you to pack the stealer into a Word or Excel document, and when you try to open it, an infection occurs. And at the beginning of this year, there were cases of distribution of the stealer under the guise of the Google Update utility, signed, which is typical, with a valid certificate.
AZORult detection methods
A lot of interesting things can be found under the hood of AZORult. The name of the control server is stored in the stealer's body in encrypted form, Base64 with an arbitrary dictionary and RC4 is used for encryption, the key of which is also hardcoded by the author. To connect to the server, AZORult uses sockets, while the data sent to the server and the received responses are poxored. The architectural stealer consists of several functional modules, which are included according to the config obtained from the admin panel.
Since the builders for AZORult are widespread on the Internet, and they repack it with enviable regularity, not all of its samples are fired by antiviruses. However, the Trojan has one characteristic feature: it stores downloaded and required libraries in the% appdata% \ 1Mo \ folder, the creation of which can be considered one of the sure signs of infection.
Eredel
A commercial stealer in C # with a fairly standard set of functions: stealing cookies and passwords from Chromium-based browsers, creating screenshots, copying files from the FileZilla and Telegram folders, as well as images, archives and documents that the user inadvertently forgot on the desktop. Management - from the traditional web admin panel.
Eredel admin panel
Of the interesting features of Eredel, it is worth noting the presence of a special Telegram bot, with which you can configure a Trojan. The styler is sold at different sites at a price of 2,500 rubles.
Eredel detection methods
Due to not too regular "cleaning" Eredel is perfectly detected by the most popular antiviruses, so it is not always rational to bother with its "manual" capture. The styler creates a folder in% TEMP% with a name that is a hexadecimal sequence (for example, 0deb54d04c2140bb95d9d3f4919184aa), which saves the screen.jpg file with the screenshot, and also contains the desktop and cookies folders. If these signs of infection are present, you can proceed to root out the malware, and the best place to start is by deleting the contents of temporary directories.
Kpot
A small non-resident triple, the uncompressed binary size of which is slightly less than 90 KB. It is written in C / C ++ with anti-debugging inserts in assembler, which definitely reminds Kratos. The Trojan can take screenshots, steal cookies, passwords, and saved autofill data from Chromium-based and Mozilla-based browsers; from MSIE 6-11 it pulls only stored authorization data. At the same time, a stealer from Mozilla uses TinySQL to parse the key3.db and signons.sqlite files, extracting passwords from there.
Kpot can steal crypto wallets Bitcoin, Namecoin, Monero, Electrum, Ethereum and Bytecoin, accounts from Psi, Psi + and Pidgin messengers, Skype correspondence, session files from Telegram, Discord voice messenger and Battle.Net client, ssfn, config.vdf and loginusers.vdf from Steam, and FTP logins and passwords from FileZilla, WinSCP, wsFtp, and Total Commander.
One of the Trojan's capabilities is the ability to search for files by name, size and mask, not only on local drives, but also on network drives - however, in the version known to me, it was not possible to give it such a command from the admin panel. Everything that has been acquired by back-breaking labor is packed into a .cab archive by the stealer and uploaded to the control server.
The developer has provided the ability to load and run using the loadpe executable file, the link to which is indicated in the control panel. In 32-bit versions of Windows, the binary is launched in the context of the process from which it was called, and in 64-bit versions, the triple launches the command line and injects the application into the cmd.exe process.
After starting, the stealer sends information about the infected computer to the control server: operating system version, data on screen resolution, number of cores and processor type, amount of RAM, local time and time zone, and also reports the IP address of the network interface. They control the trojan using a web panel.
Admin Kpot
The price of a stealer build on themed boards is $ 65, while the troop does not work in the CIS: apparently, the author believes that the principle of "no injured - no statements" will protect both himself and the users of this software from prosecution by law enforcement officers. However, as practice shows (at least the same case with the developer Kratos), this does not work at all.
Kpot detection methods
During operation, the trojan creates in the% TEMP% folder a bunch of files with names consisting of ten digits, and then deletes them. It is quite difficult to catch it manually if the antivirus has not caught the Trojan, but you can see the stealer's work using the traffic analyzer communicating with the command and control server. In one of the more common samples, C&C was located at seeyouonlineservice.com.
Arkei
Arkei is one of the most widely used commercial stealers on the market. The executable file occupies only 96 KB, while the Trojan implements a set of functions that is quite standard for such software. Among them - sending information about the hardware and software environment to the control server, copying files from the desktop, creating a screenshot, collecting saved forms, logins, passwords, history and cookies from browsers (there are sixteen in the list of supported versions), stealing Bitcoin wallets, and Ethereum, data from the FileZilla FTP manager, as well as downloading and launching an arbitrary file on the infected machine, which, upon a command from the admin panel, the trooper can write to autoload by modifying the registry.
Buying the Arkei Trojan
To control the stealer, the delivery set includes a web admin panel, and the retail price of the Trojan was 3000 rubles. Since February 2019, Arkei seems to have stopped updating, but the project, as far as I know, continues to live in the guise of a private stealer.
Arkei detection methods
Like other similar Trojans, Arkei copies the executable file to the Local Settings \ Temp folder of the current user, under whose account it was launched. He saves the loot in the% PROGRAMDATA% folder, creating there a directory with a name containing a sequence of fourteen characters, and in it a subfolder \ files \. It contains text files with saved passwords, browser history, cookies and other data. Troy is well detected by the main antiviruses, many by the packer.
Pony
This stealer is not as popular with malware as its competitors, although the law enforcement agencies recently arrested a villain who was involved in creating admin panels, including for this Trojan.
Pony sources can be found on GitHub if you want to. Troy can steal information from browsers based on Chromium and Mozilla, a bunch of FTP clients (there are several dozen in the list) and mail clients PocoMail, IncrediMail, The Bat !, Outlook, Mozilla Thunderbird. He can also steal wallets of the most common cryptocurrencies. In general, the standard set, no surprises.
Pony detection methods
The low demand for "goodies" is probably due, among other things, to the fact that the stealer is available in the public, which means that there is zero point of privacy in it and about the same tenths.
Pony detects
Trojan's antiviruses are known, appreciated and loved. However, the availability of source codes opens up a wide scope for creativity for understanding people.
Predator The Thief
A styler with such a pompous name weighs about 430 KB; you can buy it in online markets for 2,000 rubles. The package includes a Trojan build, an admin panel, a manual for setting it up, a warranty card and headphones .
Selling Predator The Thief
In addition to the standard functions (taking screenshots, stealing forms, passwords and history from browsers, collecting files from the desktop and from FTP clients, as well as receiving sessions from Telegram),Perdator Predator can save a snapshot from the built-in webcam of an infected device, which happens very important if an attacker suddenly comes to mind to watch his ex. This function is perhaps the only interesting feature of this malware.
Predator the Thief detection methods
There are many modifications of this stealer in the wild, most of which are well known to all modern antiviruses. When launched, the trojan creates a file with a name consisting of a long hexadecimal character sequence in the C: \ Documents and Settings \ <USER> \ Application Data \ folder and starts it using schtasks.exe. He stores the loot in the% APPDATA% \ roaming \ ptst \ folder.
Total
To paraphrase the classics, we can say that all commercial stealers are similar to each other, but each works in its own way. The range of such programs is very wide, so people who trade in computer espionage will always be able to find something to their liking. It is only important not to forget that the development, distribution and use of malware is a criminal offense, for which the current legislation provides for severe liability. Unfortunately, some people only remember this when it’s too late.
- 1. Selling and buying Trojans
- 1.1 N0F1L3
- 1.2 Kratos
- 1.3 AZORult
- 1.4 Eredel
- 1.5 Kpot
- 1.6 Arkei
- 1.7 Pony
- 1.8 Predator The Thief
- 2. Total
In today's article we will tell you about commercially available spyware Trojans, their features, functionality and methods of fighting this malware.
Selling and buying Trojans
Distribution and use of malware is a criminal offense and is punishable by severe penalties under applicable law. Don't forget about it!
N0F1L3
A stealer with such a difficult to pronounce name was actively sold on the Web until the author was not interested in stern people in uniform. The first version of the Trojan was written in .NET, the second, named N0F1L3v2, in C #. Troy specialized in stealing passwords from Chrome, Opera, Yandex, Torch, Amiga, Cometa and Orbitum browsers.
Selling the N0F1L3 Trojan
The stealer was put up for sale on several forums at a very modest price, and in two versions: for $ 15 and $ 45, respectively. The author merged the sources for $ 600. The first release required .NET 2.0 to work, carried the sqlite3.dll library with me and dropped the required file of this lib to the disk in accordance with the Windows bit depth. He saved the stolen passwords to a text file with HTML markup directly on the infected machine, and then uploaded it to the server.
The second version differed from the first by the absence of dependencies, thanks to which it could theoretically work on a clean system. In addition, she learned how to tyrit information from Firefox, which the first modification of N0F1L3 never mastered. The stealer collected cookies, autofill form data and passwords from browsers, copied files with the extensions .doc, .docx, .txt and .log from the desktop. From the popular FileZilla FTP client, it hijacked the files filezilla_recentservers.xml and filezilla_sitemanager.xml. Troy also tried to steal crypto wallets BTC, BCN, DSH, ETH, LTC, XMR, ZEC, after which he shoved all this wealth into local folders and uploaded it to the control server as an archive.
Admin panel for the N0F1L3 Trojan
N0F1L3 is equipped with an admin panel written in PHP, where you can view Trojan statistics and its logs. The author did not just sell the stealer, but also offered other commercial services related to it to anonymous users: updates, adding support for other browsers, and solving all sorts of technical problems. It is not surprising that soon well-wishers began to actively resell N0F1L3 on many popular and not very popular sites, and after the author started having problems with the law, the stealer was posted to the public. Trojan sources of varying degrees of freshness can be found on thematic boards today.
N0F1L3 detection methods
All versions of N0F1L3 and its numerous modifications are excellently scorched by antiviruses, but if you, a username, do not use them in principle, it is not at all difficult to detect the presence of a stealer in the system. An earlier modification of the Trojan saves the stolen file in the% LOCALAPPDATA% \ f.txt file, its presence will tell you exactly the fact of infection. N0F1L3v2 creates folders with meaningful names Browsers, Wallets, Files and Directory in% TEMP%, the first usually contains files with information pulled from browsers - Passwords.txt, Cookie.txt, CC.txt and Autofill.txt. N0F1L3 does not know how to hide in the system, so it is a matter of technique to burn it.
Kratos
Another "stealer-forte" by the same author, named either after a titan from Greek mythology, or after the hero of the toy God of War, which is more likely. The Trojan was almost completely rewritten in C ++, although a significant part of the functions in its code begin with anti-debugging insertion in assembler, which checks the state of the BeingDebugged field in the PEB structure. This structure is created in the memory of the process when it starts and contains information about the environment, loaded modules, and other useful data. At the byte offset ptr [rax + 2], this structure contains a flag that allows you to determine that the Trojan process is running under the debugger and terminate it.
I'm not like that!
In addition to the functions already implemented by its predecessors, Kratos can take screenshots (the picture is saved in% TEMP% under the name screenshot.bmp) and copy files from the Telegram client folder% AppData% \ Telegram Desktop \ tdata. In addition, the stealer looks at the registry looking for the [HKCU \ Software \ Valve \ Steam] branch. Having found it, by the contents of the SteamPath key, it determines the installation location of the Steam client, and then pulls the files config \ config.vdf, config \ loginusers.vdf and config \ SteamAppData.vdf from there. Kratos packs everything stolen into an archive and sends it to the management server with a POST request.
Kratos admin panel
Kratos uses the admin panel, which is generally similar to N0F1L3 (except that the default background image is not so cute). The developer himself sold his creation for 5,000 rubles, but on all well-known sites, anonymous users were quickly found, ready to give up builds for 1,500 and even a little cheaper - for a like, a sim, a review or a plus sign in a turnip. And after the author's deanon and the sad events that followed, the stealer appeared in the public and completely free. As a result, Kratos has crawled along these Internet of yours like cockroaches in a student hostel, periodically crawling out of secluded cracks here and there. The dust was ineffective, it can only be burned out with napalm.
Kratos detection methods
Antiviruses detect this Trojan once or twice. You can determine the presence of "Kratos" in the system by the presence in %TEMP% of the same folders as in N0F1L3, except that Telegram and Steam directories with quite obvious contents have been added to them.
AZORult
This is the name of a commercial stealer widely known in narrow circles, which has the widest set of functionality. The Trojan is able to steal saved passwords, form data and cookies from 33 different browsers, the names of a good half of which I first saw in the advertising description of this very stealer. The Trojan's admin panel has a special converter that allows you to view the contents of cookies in JSON format.
AZORult admin panel
AZORult can pull passwords from Outlook and Thunderbird email clients, FileZilla and WinSCP FTP clients, Pidgin and Psi / Psi + IM clients. From Skype, he is able to copy correspondence, from Telegram - session identifiers, from the Steam client - ssfn and vdf files. The list of cryptocurrencies whose wallets AZORult is able to steal is quite impressive: it has 38 names (about half of which don't tell me anything personally either, lol).
Among the capabilities of the stealer are not only banalities like taking screenshots - he also knows how to search an infected machine for files by name, size or mask with recursive bypass of nested directories, is able to collect information about the software environment and hardware configuration (including geolocation, a list of installed applications, etc. running processes), as well as download and run the specified file from the command and control server. Troy has an automatic self-deletion function after sending a report, if it is enabled in the admin panel, and is able to work with servers if they use a .bit domain. The uncompressed executable file takes about 110 KB, and under the packer it can be easily reduced to 40. Such is the combine for the price of $ 100.
Selling the AZORult Trojan
Last October, the author rolled out a Trojan update that allows you to pack the stealer into a Word or Excel document, and when you try to open it, an infection occurs. And at the beginning of this year, there were cases of distribution of the stealer under the guise of the Google Update utility, signed, which is typical, with a valid certificate.
AZORult detection methods
A lot of interesting things can be found under the hood of AZORult. The name of the control server is stored in the stealer's body in encrypted form, Base64 with an arbitrary dictionary and RC4 is used for encryption, the key of which is also hardcoded by the author. To connect to the server, AZORult uses sockets, while the data sent to the server and the received responses are poxored. The architectural stealer consists of several functional modules, which are included according to the config obtained from the admin panel.
Since the builders for AZORult are widespread on the Internet, and they repack it with enviable regularity, not all of its samples are fired by antiviruses. However, the Trojan has one characteristic feature: it stores downloaded and required libraries in the% appdata% \ 1Mo \ folder, the creation of which can be considered one of the sure signs of infection.
Eredel
A commercial stealer in C # with a fairly standard set of functions: stealing cookies and passwords from Chromium-based browsers, creating screenshots, copying files from the FileZilla and Telegram folders, as well as images, archives and documents that the user inadvertently forgot on the desktop. Management - from the traditional web admin panel.
Eredel admin panel
Of the interesting features of Eredel, it is worth noting the presence of a special Telegram bot, with which you can configure a Trojan. The styler is sold at different sites at a price of 2,500 rubles.
Eredel detection methods
Due to not too regular "cleaning" Eredel is perfectly detected by the most popular antiviruses, so it is not always rational to bother with its "manual" capture. The styler creates a folder in% TEMP% with a name that is a hexadecimal sequence (for example, 0deb54d04c2140bb95d9d3f4919184aa), which saves the screen.jpg file with the screenshot, and also contains the desktop and cookies folders. If these signs of infection are present, you can proceed to root out the malware, and the best place to start is by deleting the contents of temporary directories.
Kpot
A small non-resident triple, the uncompressed binary size of which is slightly less than 90 KB. It is written in C / C ++ with anti-debugging inserts in assembler, which definitely reminds Kratos. The Trojan can take screenshots, steal cookies, passwords, and saved autofill data from Chromium-based and Mozilla-based browsers; from MSIE 6-11 it pulls only stored authorization data. At the same time, a stealer from Mozilla uses TinySQL to parse the key3.db and signons.sqlite files, extracting passwords from there.
Kpot can steal crypto wallets Bitcoin, Namecoin, Monero, Electrum, Ethereum and Bytecoin, accounts from Psi, Psi + and Pidgin messengers, Skype correspondence, session files from Telegram, Discord voice messenger and Battle.Net client, ssfn, config.vdf and loginusers.vdf from Steam, and FTP logins and passwords from FileZilla, WinSCP, wsFtp, and Total Commander.
One of the Trojan's capabilities is the ability to search for files by name, size and mask, not only on local drives, but also on network drives - however, in the version known to me, it was not possible to give it such a command from the admin panel. Everything that has been acquired by back-breaking labor is packed into a .cab archive by the stealer and uploaded to the control server.
The developer has provided the ability to load and run using the loadpe executable file, the link to which is indicated in the control panel. In 32-bit versions of Windows, the binary is launched in the context of the process from which it was called, and in 64-bit versions, the triple launches the command line and injects the application into the cmd.exe process.
After starting, the stealer sends information about the infected computer to the control server: operating system version, data on screen resolution, number of cores and processor type, amount of RAM, local time and time zone, and also reports the IP address of the network interface. They control the trojan using a web panel.
Admin Kpot
The price of a stealer build on themed boards is $ 65, while the troop does not work in the CIS: apparently, the author believes that the principle of "no injured - no statements" will protect both himself and the users of this software from prosecution by law enforcement officers. However, as practice shows (at least the same case with the developer Kratos), this does not work at all.
Kpot detection methods
During operation, the trojan creates in the% TEMP% folder a bunch of files with names consisting of ten digits, and then deletes them. It is quite difficult to catch it manually if the antivirus has not caught the Trojan, but you can see the stealer's work using the traffic analyzer communicating with the command and control server. In one of the more common samples, C&C was located at seeyouonlineservice.com.
Arkei
Arkei is one of the most widely used commercial stealers on the market. The executable file occupies only 96 KB, while the Trojan implements a set of functions that is quite standard for such software. Among them - sending information about the hardware and software environment to the control server, copying files from the desktop, creating a screenshot, collecting saved forms, logins, passwords, history and cookies from browsers (there are sixteen in the list of supported versions), stealing Bitcoin wallets, and Ethereum, data from the FileZilla FTP manager, as well as downloading and launching an arbitrary file on the infected machine, which, upon a command from the admin panel, the trooper can write to autoload by modifying the registry.
Buying the Arkei Trojan
To control the stealer, the delivery set includes a web admin panel, and the retail price of the Trojan was 3000 rubles. Since February 2019, Arkei seems to have stopped updating, but the project, as far as I know, continues to live in the guise of a private stealer.
Arkei detection methods
Like other similar Trojans, Arkei copies the executable file to the Local Settings \ Temp folder of the current user, under whose account it was launched. He saves the loot in the% PROGRAMDATA% folder, creating there a directory with a name containing a sequence of fourteen characters, and in it a subfolder \ files \. It contains text files with saved passwords, browser history, cookies and other data. Troy is well detected by the main antiviruses, many by the packer.
Pony
This stealer is not as popular with malware as its competitors, although the law enforcement agencies recently arrested a villain who was involved in creating admin panels, including for this Trojan.
Pony sources can be found on GitHub if you want to. Troy can steal information from browsers based on Chromium and Mozilla, a bunch of FTP clients (there are several dozen in the list) and mail clients PocoMail, IncrediMail, The Bat !, Outlook, Mozilla Thunderbird. He can also steal wallets of the most common cryptocurrencies. In general, the standard set, no surprises.
Pony detection methods
The low demand for "goodies" is probably due, among other things, to the fact that the stealer is available in the public, which means that there is zero point of privacy in it and about the same tenths.
Pony detects
Trojan's antiviruses are known, appreciated and loved. However, the availability of source codes opens up a wide scope for creativity for understanding people.
Predator The Thief
A styler with such a pompous name weighs about 430 KB; you can buy it in online markets for 2,000 rubles. The package includes a Trojan build, an admin panel, a manual for setting it up
Selling Predator The Thief
In addition to the standard functions (taking screenshots, stealing forms, passwords and history from browsers, collecting files from the desktop and from FTP clients, as well as receiving sessions from Telegram),
Predator the Thief detection methods
There are many modifications of this stealer in the wild, most of which are well known to all modern antiviruses. When launched, the trojan creates a file with a name consisting of a long hexadecimal character sequence in the C: \ Documents and Settings \ <USER> \ Application Data \ folder and starts it using schtasks.exe. He stores the loot in the% APPDATA% \ roaming \ ptst \ folder.
Total
To paraphrase the classics, we can say that all commercial stealers are similar to each other, but each works in its own way. The range of such programs is very wide, so people who trade in computer espionage will always be able to find something to their liking. It is only important not to forget that the development, distribution and use of malware is a criminal offense, for which the current legislation provides for severe liability. Unfortunately, some people only remember this when it’s too late.
