A new malware campaign has been spotted using malicious OpenBullet configuration files to target inexperienced cybercriminals with the goal of providing a Remote Access Trojan (RAT) capable of stealing sensitive information.
Bot mitigation company kasada said the activity is designed to “exploit trusted criminal networks”, describing it as an example of advanced threat actors “falling prey to beginner hackers”.
OpenBullet is a legitimate open-source pen testing tool used to automate credential stuffing attacks. It takes a configuration file that is tailored to a specific website and can combine it with a password list obtained through other means to log successful attempts.
“OpenBullet can be used with Puppeteer, a headless browser that can be used to automate web interactions,” the company said. “This makes it very easy to launch credential stuffing attacks without having to deal with pop-ups of the browser window.”
Configuration, essentially a piece of executable code to generate HTTP requests against a target website or web application, is also traded, or sold, within criminal communities, lowering the bar for criminal activity and The script enables the kiddies to mount their own attacks.
Israeli cyber security company CyberSixGill said in September 2021, “For example, the interest in purchasing the configuration may indicate that users of OpenBullet are relatively unsophisticated.”
“But it could also be another example of the dark web’s highly efficient division of labor. That is, threat actors advertise that they want to buy configurations, not because they don’t know how to script them, but because Because it’s easier and faster.”
This flexibility can also be a double-edged sword, as it opens up a new avenue of attack, only it targets other criminal actors who are actively looking for such configuration files on hacking forums.
The campaign discovered by Kasada employs malicious configs shared over a Telegram channel to reach out to a GitHub repository to retrieve a Rust-based dropper called Ocean that’s designed to fetch the next-stage payload from the same repository.
The executable, a Python-based malware referred to as Patent, ultimately launches a remote access trojan that utilizes Telegram as a command-and-control (C2) mechanism and executes instructions to capture screenshots, list directory contents, terminate tasks, exfiltrate crypto wallet information, and steal passwords and cookies from Chromium-based web browsers.
Targeted browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jax Liberty, Litecoin Wallet, and minecoin.
The trojan also acts as a clipper to monitor the clipboard for cryptocurrency wallet addresses and replace content matching predefined regular expressions with actor-controlled addresses, leading to unauthorized fund transfers.
A total of $1,703.15 has been received over the past two months at two bitcoin wallet addresses operated by the rival, which were later laundered using an undisclosed crypto exchange called Fixed Float.
“The distribution of malicious OpenBullet configurations within Telegram is a new infection vector targeting these criminal communities due to their frequent use of cryptocurrencies,” the researchers said.
“This provides attackers with an opportunity to shape their collection around a specific target group and gain access to other members’ funds, accounts or access. As the old saying goes, there is no honor among thieves.”
