SOC Prime Bias: Medium

23 Apr 2026 17:11
newspaper icon Malwarebytes

Fake Trading Website Installs Malware That Hijacks Browsers

Author Photo
SOC Prime Team linkedin icon Follow
Fake Trading Website Installs Malware That Hijacks Browsers
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A fraudulent website advertising an AI-driven trading assistant is being used to spread the Needle Stealer infostealer. The infection chain relies on DLL hijacking and process hollowing to inject the malware into RegAsm.exe, helping it blend in with legitimate system activity. Once active, the stealer collects browser data, targets cryptocurrency wallet information, and can deploy malicious browser extensions to deepen compromise. Communication with attacker-controlled infrastructure is handled through multiple HTTP API endpoints.

Investigation

Researchers traced the infection flow back to a ZIP archive downloaded from tradingclaw.pro, which contained a DLL loader named iviewers.dll. That loader dropped a second-stage DLL that hollowed out RegAsm.exe and launched the Golang-based Needle Stealer. Further analysis showed that the stealer extracted concealed ZIP archives containing malicious browser extensions along with a configuration file that defined its command-and-control servers.

Mitigation

Users should avoid downloading software from untrusted websites and always verify publisher signatures before running any installer. Security teams should routinely audit installed browser extensions and remove any that appear unauthorized or suspicious. Network monitoring should be configured to detect traffic to the known malicious domains and IP addresses tied to the campaign. Endpoint protection tools should also be tuned to identify DLL hijacking behavior and process hollowing techniques.

Response

Defenders should review endpoint telemetry for execution of iviewers.dll and signs of injection into RegAsm.exe. The identified command-and-control domains and IP addresses should be blocked at the firewall or proxy level. Security teams should quarantine files that match the reported hashes or filenames, remove suspicious extensions from %LOCALAPPDATA%\Packages\Extensions, and reset credentials tied to affected accounts. Any potentially impacted cryptocurrency wallets should also be reviewed for unauthorized activity.

"graph TB %% Class definitions classDef action fill:#99ccff classDef malware fill:#ff9999 classDef process fill:#ccccff %% Nodes step_a["<b>Action</b> – <b>T1659 Content Injection</b><br/>User visits malicious TradingClaw site to obtain malicious content.<br/><b>Description</b>: Adversaries inject malicious content into a legitimate website to deliver payloads."] class step_a action step_b["<b>Action</b> – <b>T1204.001 Malicious Link</b><br/>User clicks and downloads malicious ZIP archive.<br/><b>Description</b>: User is tricked into clicking a malicious link that leads to credentialu2011stealing or other payload download."] class step_b action step_c["<b>Action</b> – Multiple techniques<br/><b>Masquerading T1036.001</b>: iviewers.dll mimics legitimate file.<br/><b>Subvert Trust Controls T1553.002</b>: Bypass trust by hijacking DLL.<br/><b>System Binary Proxy Execution T1218</b>: Use of system binary for execution.<br/><b>Trusted Developer Utilities Proxy Execution T1127</b>: Abuse trusted utilities.<br/><b>Reflective Code Loading T1620</b>: Load code without touching disk.<br/><b>Description</b>: DLL hijacking via iviewers.dll to execute malicious code."] class step_c action step_d["<b>Process Injection</b> – <b>T1055.012 Process Hollowing</b><br/>Malicious code injected into RegAsm.exe process.<br/><b>Description</b>: Adversary creates a hollow process and inserts malicious payload."] class step_d process step_e["<b>Malware</b> – Needle Stealer core<br/>Collects victim data after execution."] class step_e malware step_f["<b>Credential Access</b> – <b>T1115 Clipboard Data</b><br/>Collects clipboard contents.<br/><b>Description</b>: Capture data copied to clipboard such as passwords."] class step_f action step_g["<b>Input Capture</b> – <b>T1056 Input Capture</b><br/>Captures typed form inputs.<br/><b>Description</b>: Records keystrokes or form fields to steal credentials."] class step_g action step_h["<b>Credential Access</b> – Multiple techniques<br/><b>Browser Information Discovery T1217</b>: Enumerates installed browsers.<br/><b>Credentials from Web Browsers T1555.003</b>: Extracts saved passwords.<br/><b>Web Session Cookie T1550.004</b>: Reads session cookies.<br/><b>Steal Web Session Cookie T1539</b>: Exfiltrates cookies.<br/><b>Forge Web Credentials T1606</b>: Creates forged credentials.<br/><b>Description</b>: Steals browser data, credentials and cookies."] class step_h action step_i["<b>Persistence</b> – <b>T1176 Software Extensions</b><br/>Installs malicious browser extension.<br/><b>Description</b>: Extension persists in browser and can modify traffic."] class step_i action step_j["<b>Action</b> – Extension manipulates traffic<br/>Redirects requests, replaces downloads, injects scripts."] class step_j action step_k["<b>Command and Control</b> – Multiple techniques<br/><b>Data Encoding T1132.001</b>: Encode data before exfiltration.<br/><b>Exfiltration Over C2 Channel T1041</b>: Send data through C2.<br/><b>Description</b>: Communicates stolen data to remote server."] class step_k action %% Connections step_a –>|leads_to| step_b step_b –>|leads_to| step_c step_c –>|leads_to| step_d step_d –>|leads_to| step_e step_e –>|collects| step_f step_e –>|collects| step_g step_e –>|collects| step_h step_e –>|installs| step_i step_i –>|enables| step_j step_j –>|communicates| step_k "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An adversary who has obtained the Needle Stealer malware hosts it on the malicious domain tradingclaw.pro. The attacker persuades a victim to open a malicious link (e.g., via a phishing email). The victim’s browser makes an HTTP GET request to http://tradingclaw.pro/stealer.exe, which the proxy logs. Because the URL contains the exact string tradingclaw.pro, the Sigma rule’s condition (url|contains) evaluates to true, generating an alert.

    To replicate this in a test environment, we issue a direct curl request to the malicious domain. The request is crafted to look like typical user traffic (standard User‑Agent, no special headers) so that only the domain match drives the alert.

  • Regression Test Script:

    #!/usr/bin/env bash
# ------------------------------------------------------------
# Simulate malicious access to trigger the "Malicious TradingClaw"
# detection rule.
# ------------------------------------------------------------

set -euo pipefail

# Define the malicious URLs (exact strings used by the rule)
MALICIOUS_URLS=(
    "http://tradingclaw.pro/stealer.exe"
    "https://studypages.com/download/needle.exe"
)

for url in "${MALICIOUS_URLS[@]}"; do
    echo "[*] Requesting ${url}"
    # Use a realistic user‑agent to mimic a browser
    curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0 Safari/537.36" 
         -s -o /dev/null "${url}"
done

echo "[+] Simulation completed."

  • Cleanup Commands:

    # No persistent artifacts are created by the curl requests.
# Flush DNS cache to avoid accidental reuse of the domain in later tests.
if command -v ipconfig >/dev/null 2>&1; then
    ipconfig /flushdns
elif command -v systemd-resolve >/dev/null 2>&1; then
    systemd-resolve --flush-caches
fi
echo "[+] Cleanup completed."

End of Report

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free