Threat Research

Zaraza Bot Credential Stealer Targets Browser Passwords – Uptycs

Securonix

Uptycs researchers identified Zaraza bot, a credential-stealing malware that uses Telegram as its command-and-control channel to collect browser credentials and other sensitive data. It targets 38 web browsers and transmits stolen information to a Telegram server for attackers to access, enabling potential identity theft and financial fraud. #ZarazaBot #Telegram

Keypoints

  • Zaraza bot is a credential-stealing malware that uses Telegram as its C2 channel to exfiltrate data.
  • It targets 38 web browsers, including Google Chrome, Microsoft Edge, Opera, Brave, and Yandex, to extract stored login data.
  • The malware exfiltrates credentials from online banking, cryptocurrency wallets, email, and other high-value sites.
  • The infection flow includes creating a Temp folder, writing output.txt, and capturing a screenshot (Screen.jpg) for exfiltration.
  • The binary is a 64-bit C# application with obfuscated code and a null entry point to hinder debugging.

MITRE Techniques

  • [T1555.003] Credentials in Web Browsers – The malware scans through a list of 38 different browsers and extracts any credential data present on the victim’s machine. “The malware steals credentials from web browsers by scanning through a list of 38 different browsers and extracting any credential data present on the victim’s machine.”
  • [T1113] Screen Capture – Infection flow includes taking a screenshot of the active window and saving it as a JPG. “capture a screenshot of the victim’s active window, which is then saved in a JPG file format.”
  • [T1071.001] Application Layer Protocol – Web Protocols – The malware uses Telegram as its command and control channel. “uses telegram as its command and control.”
  • [T1027] Obfuscated/Compressed Files and Information – The code is obfuscated, with an obfuscated and file creation flow mentioned. “obfuscated and file creation code” and “entry point…null” indicate obfuscated behavior to hinder analysis.
  • [T1041] Exfiltration Over C2 Channel – Stolen data is transmitted to the bot server/Telegram channel for attacker access. “The stolen data is subsequently transmitted to the bot server where it can be accessed by the attacker.”

Indicators of Compromise

  • [File hash] Zaraza bot binary – 41D5FDA21CF991734793DF190FF078BA
  • [Domain] Telegram bot channel – t.me/zarazaA_bot
  • [IP] 149.154.167.220
  • [File name] Zaraza bot binary, Screen.jpg

Read more: https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint