A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to obtain sensitive data from infected hosts.
Fortinet FortiGuard Labs, which conducted the discovery, said it found the malware in an executable that was disguised as a PDF file with the Russian name “CMK Правилания обланичый листов.pdf.exe”, which translates to “CMK Rules for issuing sick leave. pdf.exe.”
The arrival vector for the malware is currently unknown, although the nature of the lure indicates that it is being used in a phishing campaign. The first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively few features.
Evolution Thief, like other malware families of its kind, is equipped to collect system metadata, including BIOS release date and vendor, total/free disk space on C drive, currently running processes, registered usernames and volumes information is included. The collected details are then transmitted to the command-and-control (C2) server.
A notable feature of the malware is that it uses the string “3rd_eye” to indicate its presence on the C2 servers.
There is no indication to suggest that ThirdEye has been used in the wild. That being said, given that most of the stolen artifacts were uploaded to VirusTotal from Russia, it is likely that the malicious activity is aimed at Russian-speaking organizations.
Fortinet researchers said, “Although this malware is not known to be sophisticated, it is designed to steal various information from compromised machines, which can be used as stepping-stones for future attacks.” ” The collected data is “valuable for understanding and narrowing down potential targets,” he said.
The development comes in the form of trojanized installers for the popular Super Mario Bros. video game franchise hosted on sketchy torrent sites that can be used to circulate cryptocurrency miners and an open-source stealer written in C#. called Umbral, which pulls out the data of interest using Discord webhooks.
“The combination of mining and piracy activities results in financial losses, massive degradation of victim system performance, and valuable system resources,” Cyble said.
Video game users have also been targeted with Python-based ransomware and a remote access trojan called Ceroxen, which was found to take advantage of a commercial batch file obfuscation engine called ScrubCrypt (aka BatCloak) to avoid detection. Evidence suggests that the artists involved in the development of Seroxon also contributed to the creation of ScrubCrypt.
The malware, which was advertised for sale on the Clarenet website, which was registered on March 27, 2023, has been further promoted on Discord, TikTok, Twitter and YouTube, before being shut down in late May. A cracked version of Ceroxen has since reached criminal forums.
“Trend Micro said, “People are strongly advised to avoid using words such as ‘cheats’, ‘hacks’, ‘crack’ and links associated with other pieces of software related to gaining a competitive edge when encountering software packages. Take a skeptical approach.” A new analysis of Ceroxen.
“The inclusion of Seroxen and Batcloak in malicious actors’ malware arsenals highlights the evolution of FUD obfuscators with low barriers to entry. The almost-amateur approach to using social media for aggressive propaganda, considering that How easily this can be detected makes these developers seem novice by the standards of advanced threat actors.”