BoryptGrab is a C/C++ information stealer that includes VM and anti-analysis checks and attempts to execute with elevated privileges.It can harvest information from close to a dozen browsers, uses Chrome App Bound Encryption techniques from two GitHub repositories, and downloads a Chromium helper to collect information from the targeted browsers.It can also collect data from desktop cryptocurrency wallet applications and browser extensions, harvest system information, take screenshots, and collect files with specific extensions.Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens. All the harvested information is archived and sent to the attacker’s C&C server.Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders.TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
It can harvest information from close to a dozen browsers, uses Chrome App Bound Encryption techniques from two GitHub repositories, and downloads a Chromium helper to collect information from the targeted browsers.It can also collect data from desktop cryptocurrency wallet applications and browser extensions, harvest system information, take screenshots, and collect files with specific extensions.Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens. All the harvested information is archived and sent to the attacker’s C&C server.Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders.TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
It can also collect data from desktop cryptocurrency wallet applications and browser extensions, harvest system information, take screenshots, and collect files with specific extensions.Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens. All the harvested information is archived and sent to the attacker’s C&C server.Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders.TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
Additionally, Trend Micro discovered that the stealer can obtain Telegram files, browser passwords, and, in newer iterations, Discord tokens. All the harvested information is archived and sent to the attacker’s C&C server.Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders.TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
Some of the identified variants also deploy the TunnesshClient backdoor, which in other cases is dropped using different downloaders.TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
TunnesshClient can execute commands provided by the attacker via a reverse SSH tunnel. Based on these, the malware acts as a SOCKS5 proxy, executes shell commands, lists files, searches for files, uploads and downloads files, or sends entire folders to the attacker’s server.“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories,” Trend Micro notes, adding that the operation shows an increasing level of engineering sophistication.Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
Related:‘Arkanix Stealer’ Malware Disappears Shortly After DebutRelated:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
Related:‘SolyxImmortal’ Information Stealer EmergesRelated:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
Related:Lumma Stealer Activity Drops After DoxxingRelated:Hundreds Targeted in New Atomic macOS Stealer Campaign
Source: SecurityWeek
