A recent malware campaign has emerged, employing malicious OpenBullet configuration files to target inexperienced cyber criminals, aiming to deliver a remote access trojan (RAT) capable of pilfering sensitive information. The campaign, uncovered by bot mitigation company Kasada, strategically leverages these trusted criminal networks, representing an instance of advanced threat actors exploiting novice hackers.
OpenBullet, a legitimate open-source pen testing tool, is being misused for this purpose, allowing automation of credential stuffing attacks. Kasada’s discovery sheds light on how these configurations, which generate HTTP requests for target websites, are traded within criminal communities, enabling even script kiddies to engage in cyber attacks.
The exploitation of OpenBullet’s capabilities introduces a concerning trend, targeting criminal actors who seek these configuration files on hacking forums. Kasada’s investigation revealed that the campaign employs malicious configs shared on Telegram to access a GitHub repository, fetching a Rust-based dropper named Ocean. This dropper, in turn, retrieves the next-stage payload from the same repository. This payload, a Python-based malware referred to as Patent, ultimately executes a remote access trojan.
Operating through Telegram, Patent commands various actions, including capturing screenshots, listing directory contents, exfiltrating crypto wallet details, and stealing passwords from Chromium-based web browsers. Moreover, the trojan functions as a clipper, replacing clipboard contents to initiate unauthorized fund transfers, thereby posing a significant threat to cryptocurrency security.
The malware campaign’s effectiveness is evident in the $1,703.15 worth of Bitcoin funds laundered through an anonymous crypto exchange, highlighting the severity of the situation. The distribution of malicious OpenBullet configs via Telegram serves as a unique infection vector, exploiting the frequent use of cryptocurrencies within these criminal communities. This approach offers attackers the opportunity to target specific groups and gain access to funds, accounts, or sensitive information.
As the cybersecurity landscape evolves, this campaign underscores the importance of vigilance in both the NFT and broader digital asset communities, as the perpetrators continue to adapt their tactics and exploit unsuspecting users.
