A new variant of the credential-stealing Zaraza malware is pilfering log-in credentials of web browsers Google Chrome, Microsoft Edge, Opera and Brave. Threat actors are leveraging Telegram servers as their command-and-control (C2) platform to shuffle bank login credentials and cryptocurrency exfiltrated from targeted computers, researchers warn.
Uptycs, which released the report outlining the malware campaigns, said Telegram is also being used to distribute and market the Zaraza malware. Researchers believe adversaries behind the campaign have ties to Russia, adding the name of the malware (zaraza) translates from Russian to the word "infection."
In all, nearly 40 web browsers are targeted by adversaries using the Zaraza bot. Noticeably absent from the list of browsers is Apple's Safari and Mozilla Foundation's Firefox browsers. The Uptycs analysis did not include the initial path or technique adversaries use to infect targeted computers.
“Attackers... use the stolen data for malicious purposes such as identity theft, financial fraud, and unauthorized access to personal and business accounts,” Uptycs said.
Interestingly, the Zaraza malware can crack the encryption used by targeted browsers to protect stored passwords. "The web browser on the system stores credentials in two encrypted formats as a default security measure. However, Zaraza bot is capable of decrypting both formats," researchers said.
The Zaraza bot appears to part of an organized criminal enterprise, with threat actors able to purchase access to the bot from a centralized malware distributor. The use of the Telegram Messenger platform as a C2 by threat actors follows an ongoing trend. Uptycs said adversaries like Telegram because they can use it to distribute malware and move data and bypass detection.
Zaraza is distributed as a 64-bit binary file compiled using the C# programming language and contains Russian Cyrillic characters in its code. After scanning the infected device, the malware creates an “output.txt” file in a new subfolder in the Temp directory. “After successfully extracting encrypted passwords from the browser, the attacker then saved this data to the output.txt file,” the researchers said.
A screenshot of the victim’s machine is also stored in the output.txt location, which is then shared to the Telegram channel.
Uptycs provided a copy of a YARA rule for security pros can use in any EDR/XDR vendor with YARA rule detection capabilities and manually remove the malicious files. One indicator of compromise includes an MD5 file hash (41D5FDA21CF991734793DF190FF078BA).