Predator The Thief, is just another data-stealing malware that’s written completely in C/C++ and is sold in darknet forums for as cheap as $50, or even lower. This malware’s creators are in contact with their customers to give them regular updates for being more stealthier.
Infecting Via Word Document
A Cyber solutions group called Fortinet has been tracking this malware over time and studied its update trends, resulting in the new version of this malware is now infecting systems via word documents!
As explained by Fortinet, the malware is embedded in a Word Document which is crafted as a clickable invoice. And when opened, AutoOpen macro runs the VBA code that in turn downloads three new files using Powershell.
The three files as:
VjUea.dat, which is a legitimate AutoIt3.exe to run the decoded AutoIt script.
SevSS.data, which is decoded by certutil.exe, a genuine command line and is part of Windows.
And this decoded script is then used to decrypt and run the apTz.dat, which delivers the final payload Predator The Thief.
Clever, Untraceable, Quick
The data stolen by this malware is of victims:
- City, Country, Longitude, Latitude, IP, Time zone and Postal code.
- Password, Browser Cookies
- Payment cards and Wallets information
- Telegram, Steam, Skype accounts information
- Crc32 checksum anti-debug result
- Module execution method configuration
After all, the malware is so clever to go undetected, as it wipes itself off after completing its mission and even transfers the stolen info in a zip file loaded directly from memory, leaving no footprints. Moreover, the communication with the hacker’s server (to receive commands and to transfer data) is done via encrypted algorithms as base64 and RC4.
Fortinet describes the malware is at version 3.3.4 and is continuously upgrading to latest versions to come up with new hiding techniques.