Delaware, USA – January 8, 2020 – The increasingly popular infostealer on the eve of the new year was updated to version 3.3.4 and received additional anti-analysis and fileless capabilities. Predator the Thief has been used by attackers since the summer of 2018. The malware was capable of stealing credentials and browser data, taking screenshots and photos using the webcam. Its authors sell Predator the Thief on underground hacking forums, use Telegram to promote their creation updating it several times per month, and their infostealer is used not only by rookie hackers but also notorious cybercriminal groups. Fortinet researchers analyzed the latest update and discovered several unsettling improvements. Now the stolen information is sent as a zip file: “the malware allocates memory space to locate the entire zip file structure, and then adds the zip file directly from memory to the request data” making it more difficult to analyze impact. The configuration of the C&C server is now more complex, and malware authors implemented encryption during the connection. Also, the infostealer was armed with new tricks to avoid detection and analysis.
And the worst part is that the attackers added the ability to download and run additional modules and tools, transforming the password stealer into multifunctional malware which will find application both in the distribution of ransomware and in cyberespionage operations. You can leverage the APT Framework rule pack available on Threat Detection Marketplace to enable your existing security solution to uncover traces of sophisticated malware activity and signs of cyberattack at any stage of Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework