A new credential-stealing malware called Zaraza bot is being offered for sale on Telegram while using the popular messaging service as a command-and-control (C2). The malware is designed to target up to 38 different web browsers, capturing login credentials associated with online bank accounts, cryptocurrency wallets, email accounts, and other websites of value.
Once it infects a victim’s computer, it retrieves sensitive data and sends it to a Telegram server where the attackers can access it immediately. Evidence gathered by Uptycs suggests that Zaraza bot is offered as a commercial tool for other cybercriminals for a subscription.
It is currently unclear how the malware is propagated, but information stealers have typically leveraged methods such as malvertising and social engineering in the past.
The discovery comes after eSentire’s Threat Response Unit (TRU) disclosed a GuLoader campaign targeting the financial sector via phishing emails. The campaign employs tax-themed lures to deliver information stealers and remote access trojans like Remcos RAT. This development follows a spike in malvertising and search engine poisoning techniques to distribute a growing number of malware families by enticing users searching for legitimate applications into downloading fake installers containing stealer payloads.
Kaspersky has also revealed the use of trojanized cracked software downloaded from BitTorrent or OneDrive to deploy CueMiner, a .NET-based downloader that acts as a conduit to installer a cryptocurrency miner known as SilentCryptoMiner.
To mitigate risks stemming from stealer malware, it is recommended that users enable two-factor authentication (2FA) and apply software and operating systems updates as and when they become available.
The stolen credentials pose a serious risk as they not only allow threat actors to gain unauthorized access to victims’ accounts, but also conduct identity theft and financial fraud. Zaraza bot is the latest example of malware that can capture login credentials, and it is being actively distributed on a Russian Telegram hacker channel popular with threat actors.
Once infected, the malware retrieves sensitive data and sends it to a Telegram server where attackers can access it immediately.
