- ‘Predator the Thief’ malware updated on Christmas Eve with version 3.3.4
- The new version is highly sophisticated, uses more encryption, evades detection
- Lures the victim with a phishing document disguised as ‘invoice’
- Collects victim’s information and sends it to the attacker via a file-less system
- Uses legit Windows process, can delete itself and download more malware
- Users are advised to stay clear of phishing documents
Security researchers at Fortinet have been analyzing the sly malware Predator the Thief for sometime now, and have discovered that it has been substantially developed over time.
Just a month back, the malware was updated twice and the latest version (3.3.4) is pretty dangerous and sophisticated, indicating how far the attackers have come in their malicious pursuit.
Apart from using more complex code, Predator the Thief, now comes with more techniques to avoid detection.
What can Predator the Thief do?
- Send victim’s sensitive information to the attacker’s C&C server
- Detect debuggers every five seconds and use more anti-debug operations
- Store information in memory and act as a file-less malware
- Delete itself after running
- Download other malware
What starts as a malicious and fake invoice document ends up infecting the machine with a dangerous payload that can prove to be the end of the device.
Chronology of events:
Once the victim receives the manipulated Microsoft Word document and enables ‘editing’ and ‘content’, he/she sets their device on the following doomed path:
- The VBA script in the document is run by AutoOpen
- Three files (in the red box above) are downloaded through PowerShell
- The encoded AutoIt script is decoded by certutil.exe which is part of a Windows program
- The decrypted AutoIt script is executed using AutoIt3.exe
- The apTz.dat is decrypted and Predator the Thief payload is loaded into dllhost.exe
The malware steals and sends victim’s information (among other malicious operations) by allocating a memory space for the zip file.
Information shared with the attacker includes data related to the user’s passwords, cards, wallets, cookies, Telegram account and more.
It has been noticed that the hackers are using Telegram to promote their fishy activities. One of the attacker’s command and control server is corp2[.]site.
Predator the Thief has, undoubtedly, made strides in its development since its early version 3.0.8. Fortinet researchers noticed that attackers had removed most of the junk code from the main routine and introduced more tactics to modernize their weapon.
What is new in the latest version of Predator the Thief
- Assembly code is made shorter and more complex
- More encryption is used
- File-less system is used to minimize footprint and evade detection
- The configuration from C&C server is more complicated and encrypted
- Legitimate system process is used to download the payload
- Second stage malware can be installed
If you are someone who deals with a lot of invoices at work, you better be careful about the files you open.
Only download files from trusted sources and plainly ignore links in mails that seem suspicious.
Also, make sure your anti-virus and other web protection systems are up to date and running.
Share this news with your friends at workplace and ask them to stay on top of cybersecurity.
Have you noticed anything suspicious on your device lately? You can always scan it on Virus Total for malware detection. Share your opinions in the comments section below and don’t forget to subscribe to our news section.
Stay tuned, stay safe.