Jump to content

Search the Community

Showing results for tags 'credential stealer'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 2 results

  1. AutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers Trend Micro team has detected a malware’s command-and-control (C&C) servers that has been targeting the financial institutions in the US and Canada and determined that these come from the US, the Netherlands, and Sweden. It is believed that they have been using the scripting language AutoHotkey (AHK) What is AutoHotkey (AHK)? AHK is an open-source scripting language for Windows that aims to provide easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK also allows users to create a “compiled” .EXE with their code in it. Threat actors have used this scripting language that has no built-in compiler within a victim’s operating system, and which can’t be executed without its compiler or interpreter. How does the malware work? The two critical roles in the infection are The dropped adb.exe: The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. adb.ahk: AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system The downloader client also creates an autorun link for adb.exe in the startup folder. This portable executable executes an AHK script with the same name in the same directory which is called as adb.ahk. Then this script calls each user by generating a unique ID for each victim based on the volume serial number of the C drive. The malware then goes through an infinite loop and starts to send an HTTP GET request every five seconds with the generated ID. This ID serves as the request path to its command-and-control (C&C) server to retrieve and execute the AHK script on an infected system. For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL. There are five C&C servers and two commands discovered here: deletecookies and passwords. Through the downloads a stealer is written in AHK which is responsible for harvesting credentials from various browsers and exfiltrating them to the attacker, which majorly targets Bank website addresses. To precise the working, this malware infection consists of multiple stages that start with a malicious Excel file. If the user enables the macros to open the Excel file, VBA AutoOpen macro will then drop and execute the downloader client script via a legitimate portable AHK script compiler. The downloader client is responsible for achieving persistence, profiling victims, and downloading and executing AHK script in a victim system. Instead of receiving commands from the C&C server, the malware downloads and executes the AHK script for different tasks. The downloaded script is a stealer that targets various browsers such as Google Chrome, Opera, Edge, and more. The stealer collects and decrypts credentials from browsers and exfiltrates the information to the attacker’s server via an HTTP POST request. Effects of malware attack The main purpose of this malware is to steal credentials from various browsers such as Microsoft Edge, Google Chrome, Opera, Firefox, and Internet Explorer (IE). Source: AutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers
  2. ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose ‘TeamTNT’ is using a new harvester that targets a wide spectrum of cloud services and software apps. The actors are still targeting Monero wallets and configuration files and are still DDoSing some victims. The hacking group that started as an opportunistic actor is now evolving into a serious threat. ‘TeamTNT,’ the hacking group that was mostly occupied with disseminating XMR cryptominers on exposed Dockers last year, is now targeting cloud service credentials. This change in activity was first noticed and reported by researchers at TrendMicro at the beginning of March, and now, the same team has sampled and analyzed a new credential harvester used by the threat actors. The intruders deploy a rich repertoire to access the network, including the exploitation of vulnerabilities, using stolen passwords or taking advantage of the existence of misconfigurations. From there, they focus on a range of system types depending on what they can find, then perform network reconnaissance, and finally deploy their new credential harvester. This malware helps TeamTNT steal user IDs and passwords from the following software and services: Google Cloud Cloudflare Amazon Web Services Shodan Docker SSH Git FileZilla Jupyter Monero wallet SMB clients WebDAV Ngrok2 HexChat Pidgin PostgreSQL Source: TrendMicro So, why is TeamTNT interested in stealing cloud service and software app credentials? One very probable reason would be to engage in planting XMR cryptominers in places where they are unlikely to be found and uprooted before making significant amounts of money for the actors. Another would be to resell these credentials to ransomware groups on the dark web. And a third would be to exfiltrate data from cloud-hosted databases and then sell them to phishing actors and scammers. Source: TrendMicro TrendMicro points out that the malware actively looks for Monero configuration files and any accessible wallets, so the anonymous crypto remains a key motivation for the actors, or at least that’s what it looks like. When the malware reaches the end of its routine, it attempts to delete itself from the infected system. Still, according to the analysts, this function isn’t implemented properly yet, so it fails. One more thing to note is that TeamTNT also engages in DDoS attacks once inside a network, as long as they have some form of an RCE to execute it. This is happening through a special IRC bot called ‘TNTbotinger.’ DDoS attacks can help the actors draw the attention of response teams elsewhere, slow down malware detection and clean-up efforts, or even aid extortion efforts. In general, TeamTNT has evolved into a significant and wide-scope threat now. Their new harvester is an indication that the particular malware authors are serious about their operation and care to take things to the next level. Source: ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose
  • Create New...