Threat actors endorse the Zaraza bot, a recently emerged information stealer botnet, on a well-known Russian Telegram channel. Based on reports, it could steal critical information, such as credentials, from about 38 popular web browsers. It could also abuse Telegram to avoid detection from security solutions.
Researchers revealed that the new botnet malware could scan a compromised device for a list of 38 search engines. The study confirmed that the malware could target MS Edge, Brave, Yandex, Vivaldi, AVG Browser, Opera, and Google Chrome.
Once the malware identified one of the browsers, it could execute its attack to exfiltrate credentials like email accounts, bank accounts, crypto wallets, and other financial websites. Further, the malware targets specific databases and archives within the browser to steal data.
However, if Zaraza finds an encrypted credential, it will run a decryption process before stealing information.
The Zaraza bot is a lightweight malware that could inflict damages comparable to high-end malicious entities.
According to investigations, the Zaraza bot is a lightweight malware, which is a 64-bit binary file. Researchers stated that the botnet developers write some of its codes and logs in Russian.
Researchers have yet to track the specific distribution method of the malware operators, but they claim that the actors adopted a social engineering tactic or malvertising campaign for propagation.
The botnet scans the system to exfiltrate critical data and saves it in a text archive upon infection. In addition, it captures screenshots of the active window and keeps them in a JPG archive. The attack will send the exfiltrated data back to an attacker-controlled Telegram channel.
This newly discovered Zaraza bot displays all the typical characteristics of credential-stealing malware. It could steal bank account details and crypto wallets via Telegram to not attract sophisticated anti-malware solutions.
The rise of these kinds of malware has been prevalent for the past few months. Malware strains like WASP and Sideload Stealer have been using the same tactic employed by the Zaraza operators.
Users should be vigilant in accessing links received from unknown sources on social media platforms and refrain from downloading anything from untrusted sources.
