Threat Research

Analysis of BlackGuard – A New Info Stealer Malware Being Sold In A Russian Hacking Forum

Securonix

BlackGuard is a .NET information stealer advertised as malware-as-a-service on underground forums, capable of stealing credentials from crypto wallets, VPNs, messengers, FTP, saved browser data, and email clients, with ongoing development and obfuscation to evade detection. The analysis highlights anti-detection, anti-debugging, geo-checks to block CIS devices, and C2-based exfiltration, underscoring its growing presence in the criminal ecosystem. #BlackGuard #ThreatLabz #Zscaler #CryptoWallets #CryptoWalletExtensions

Keypoints

  • BlackGuard is sold as malware-as-a-service with a lifetime price of $700 and a monthly price of $200.
  • It can steal data from Crypto wallets, VPNs, Messengers, FTP credentials, saved browser credentials, and email clients.
  • Anti-detection features include killing antivirus and sandbox processes to hinder analysis.
  • String obfuscation via a hardcoded byte array decoded at runtime to ASCII strings followed by base64 decoding to bypass detection.
  • Anti-CIS checks the device location and exits if the device is located in the CIS region.
  • Exfiltration collects data, creates a .zip, and sends it to the C2 server via a POST request, including hardware ID and country information.

MITRE Techniques

  • [T1562.001] Impair Defenses – ‘Once executed, it checks and kills the processes related to antivirus and sandbox as shown in the figure below.’
  • [T1027] Obfuscated/Compressed Files and Information – ‘The stealer contains a hardcoded array of bytes which is decoded in runtime to ASCII strings followed by base64 decoding.’
  • [T1497] Virtualization/Sandbox Evasion – ‘Anti-CIS: BlackGuard checks for the infected device country by sending a request to “http://ipwhois.app/xml/” and exits itself if the device is located in the Commonwealth of Independent States (CIS).’
  • [T1082] System Information Discovery – ‘system information like Hardware ID and country’ (context: exfiltration includes system info)
  • [T1555.003] Credentials in Web Browsers – ‘BlackGuard steals credentials from Chrome- and Gecko-based browsers using the static path. It has the capability to steal history, passwords, autofill information, and downloads.’
  • [T1552.001] Credentials in Files – ‘The stealer checks for the default wallet file location in AppData and copies it to the working folder.’
  • [T1041] Exfiltration Over C2 Channel – ‘creates a .zip of all the files and sends it to the C2 server through a POST request along with the system information like Hardware ID and country.’

Indicators of Compromise

  • [Hashes] IOCs – 4d66b5a09f4e500e7df0794552829c925a5728ad0acd9e68ec020e138abe80ac, c98e24c174130bba4836e08d24170866aa7128d62d3e2b25f3bc8562fdc74a66, and 10 more hashes
  • [Domains] IOCs – win.mirtonewbacker.com, umpулumpu.ru, greenblguard.shop, onetwostep.at
  • [File Names] IOCs – wallet.dat

Read more: https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking