A new Trojan being sold on the Dark Web comes with a plethora of tools to steal bank details, online gaming credentials, and cryptocurrency wallets.
On Thursday, researchers from the Zscaler ThreatLabZ team said the new Trojan, dubbed Saefko, is written in .NET and has been equipped with a variety of functions which make it a dangerous new addition to the threat landscape.
Remote Access Trojans (RATs) infiltrate systems through a variety of means including phishing emails with malicious attachments, drive-by downloads, and sometimes as part of bundled software programs from untrustworthy sources.
Once Saefko infects a machine, operators are able to use an administration tool which supports multiple operating systems, including Windows and Android devices. An advert for a cracked version of the malware found in a Dark Web forum is shown below.
The Trojan, saefkoagent.exe, will unpack itself and create a startup key to maintain persistence, rebooting at every restart of an infected machine. Saefko attempts to stay under the radar and will covertly check for an Internet connection, as well as fetch Google Chrome browser history to make a list of targets suitable for data theft.
The malware has a long and specific list of information it will attempt to harvest from a victim and send to its operator’s command-and-control (C2) center. Saefko scours Google Chrome records for financial website visits, social media, cryptocurrency, gaming, and retail activities.
Saefko will check for logs relating to a vast array of websites, including but not limited to PayPal, Amazon, Bitpay, Mastercard, Steam, Twitch, GameStop, Microsoft, YouTube, Capital, Bitstamp, Facebook, Instagram, and Google’s Gmail.
E-retailers are also of interest, including Boohoo, Superdry, Macy’s, Target, and Alibaba.
It also appears that the developers of the malware want to ascertain the business value of a victim, as the list includes websites which may be of corporate value — such as LinkedIn, the Financial Times, Investing.com, Reuters, and Zacks.
The domains a victim has visited, as well as how many times, are sent to the C2. It is then up to the operator to show the green light for further infection, setting into motion four different modules.
HTTPClinet is the first module in play, and this element will gather system information, send it to the C2, and request additional payloads.
KEYLogger will capture keystrokes and save them in a text file, while StartLocalServices will check to see if removable or networked drives exist and will copy the malware to any removable USB devices found.
To implement the last module, IRCHelper, any current Internet Relay Chat (IRC) connections are cut. The tool will then ping a range of servers for data theft commands, such as downloading and executing new files, opening URLs, grabbing system location information, and the transfer of the keystroke log.
Saefko is also able to compile video files with footage from an infected system.
The new Trojan’s capabilities are rather extensive, and while data and account credentials remain lucrative, new malware with similar information-stealing functionality will continue to be developed.
Earlier this week, researchers from Trend Micro revealed the latest concealment tactics of the LokiBot malware. Developers of the malware have begun using steganography, the practice of hiding text, messages, or code in image files, to hide source code.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0