Short summary:

This is a sophisticated malware campaign that is targeting inexperienced cyber criminals with the goal of stealing their cryptocurrency and other sensitive information. The campaign is using malicious OpenBullet configuration files to distribute the malware, and it is targeting criminal communities that are known to use cryptocurrencies.

Other reading:

https://thehackernews.com/2023/08/new-malware-campaign-targets.html

Entertaining bits:

• A new malware campaign has been observed targeting inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT).
• The campaign is using malicious OpenBullet configuration files that are shared on a Telegram channel.
• The RAT delivered can capture screenshots, list directory contents, terminate tasks, exfiltrate crypto wallet information, and steal passwords and cookies from Chromium-based web browsers.
• Targeted browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and Mincoin.
• The trojan also functions as a clipper to monitor the clipboard for cryptocurrency wallet addresses and substitute contents matching a predefined regular expression with an actor-controlled address, leading to unauthorized fund transfers.
• Two of the Bitcoin wallet addresses operated by the adversary have received a total of $1,703.15 over the past two months, which were subsequently laundered using an anonymous crypto exchange known as Fixed Float.
• The researchers say that the distribution of the malicious OpenBullet configs within Telegram is a novel infection vector, likely targeting these criminal communities due to their frequent use of cryptocurrencies.
• They say that this presents an opportunity for attackers to shape their collection to a specific target group and obtain other members’ funds, accounts, or access.