Threat Research

Technical Analysis of Bandit Stealer

ZScaler

Bandit Stealer is a Go-based information stealer that harvests browser credentials, cookies, credit card data, FTP/email credentials, and desktop cryptocurrency wallet data, then exfiltrates the collected information to a threat actor via Telegram. The malware includes extensive anti-analysis and sandbox/VM detection (process, MAC, UUID, username, computer name checks) and downloads dynamic blacklist configuration from Pastebin. #BanditStealer #Telegram

Keypoints

  • Bandit is a Golang info stealer that collects saved browser credentials, cookies, history, credit card data, FTP and email client credentials, clipboard contents, keystrokes, and desktop cryptocurrency wallet files/extensions.
  • The malware implements extensive anti-analysis checks to detect virtual machines, sandboxes, debuggers, blacklisted IPs, MACs, usernames, computer names, hardware IDs and process names, exiting if matches are found.
  • Bandit uses WMIC, GetAdaptersAddresses, CreateToolhelp32Snapshot and Windows APIs (IsDebuggerPresent, CheckRemoteDebuggerPresent, CryptUnprotectData) for discovery, detection and data decryption.
  • Dynamic blacklist/configuration is retrieved from pastebin.com; external IP is queried from api.ipify.org; cURL is used for transfers and data is exfiltrated to the attacker via Telegram with automated JSON responses.
  • Collected data is staged under %appdata%local in a subfolder named [country_code][ip_address], with a USERINFO.txt containing system metadata.
  • Bandit has been marketed on underground forums and is updated to expand data collection and anti-analysis features, increasing its persistence as a threat.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – Bandit checks running processes and environment indicators to detect virtualized or sandboxed environments and exits if detected. (‘Bandit stealer employs a number of anti-analysis techniques… checks for the following process names shown below: Xen, Vmware, VirtualBox, KVM, Sandbox, QEMU, jail’)
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The malware executes Windows utilities and commands (runas, WMIC) via the command shell to elevate privileges and gather system info. (‘Bandit attempts to elevate permission using the runas command… C:Windowssystem32runas.exe runas /user:Administrator C:UserssaturnDesktopBandit.exe’)
  • [T1082] System Information Discovery – Bandit queries system identifiers and display properties (UUID, screen dimensions) to profile the host. (‘Bandit also executes the Windows Management Interface command-line (WMIC) utility to obtain the Universally Unique Identifier (UUID) of the victim machine and the screen dimensions… wmic csproduct get uuid; wmic desktopmonitor get screenheight, screenwidth’)
  • [T1016] System Network Configuration Discovery – The stealer retrieves the machine’s external IP and MAC addresses to compare against blacklists. (‘Bandit obtains the system’s external IP address from api.ipify.org… Bandit stealer also retrieves the MAC address of the victim machine using the GetAdaptersAddresses Windows API’)
  • [T1057] Process Discovery – Bandit enumerates running processes via CreateToolhelp32Snapshot and matches them against a blacklist to identify analysis tools or VMs. (‘The CreateToolhelp32Snapshot Windows API is used to capture the snapshot and traverse along the running process and matches with a list of blacklisted process names and terminates if any process is found executing’)
  • [T1105] Ingress Tool Transfer – The malware downloads dynamic blacklist/configuration data from Pastebin. (‘Bandit stealer abuses pastebin.com for downloading the blacklist configuration information from a hardcoded URL’)
  • [T1041] Exfiltration Over Command and Control Channel – Collected data is sent to the attacker via Telegram channels, with automated parsing and JSON responses. (‘After Bandit finishes data collection, this information is sent to the threat actor via Telegram… The Bandit threat actor has automated the parsing and extraction of the data and responds back with a JSON encoded structure’)
  • [T1555.001] Credentials from Web Browsers – Bandit extracts saved logins, cookies, history and credit card data from multiple browsers using SQLite and decrypts them with CryptUnprotectData. (‘Bandit steals web browser data including saved login information, cookies, history, and credit card information… The SQLite3 library is used to fetch data and the CryptUnprotectData API is used to decrypt cookies and credentials.’)
  • [T1056.001] Input Capture: Keylogging – Recent samples include keystroke capture functionality to collect typed credentials and other input. (‘Bandit also has the capability to harvest keystrokes and steal clipboard data.’)
  • [T1115] Clipboard Data – The stealer exfiltrates clipboard contents as part of its credential/data theft capabilities. (‘Bandit also has the capability to harvest keystrokes and steal clipboard data.’)

Indicators of Compromise

  • [MD5 Hash] Bandit Stealer samples – 17c697da407acacadcaa8fb5c4885179, fdb111c9e0c6b1a94e2bf22131e4266d, and 6 more hashes
  • [IP addresses] Blacklist entries used by Bandit – 88.132.231.71, 34.105.72.241, and many more IPs listed in the Appendix
  • [MAC addresses] Virtualization/host blacklists – 00:15:5d:00:07:34, 00:50:56:b3:14:59, and numerous others in the Appendix
  • [Domains/APIs] Network endpoints and services used – api.ipify.org (external IP lookup), pastebin.com (dynamic config download), Telegram channels for exfiltration
  • [File names/paths] Staging location and files – %appdata%local[country_code][ip_address] (subfolder), USERINFO.txt (system metadata)
  • [Process names] Anti-analysis and blacklist checks – vmwareuser, wireshark, regedit, taskmgr, and many more process names blocked by Bandit

Bandit Stealer’s technical procedure centers on aggressive environment validation, targeted data collection, local staging, and covert exfiltration. On execution, the Go-based binary performs anti-analysis checks (process-name scanning via procfs, CreateToolhelp32Snapshot enumeration, MAC and hardware ID comparisons via GetAdaptersAddresses, WMIC queries for UUID and screen dimensions, and debugger checks using IsDebuggerPresent/CheckRemoteDebuggerPresent). If any checks match entries in locally embedded or remotely retrieved blacklists (downloaded from Pastebin), the binary exits to avoid analysis.

For data collection, Bandit enumerates browser profiles and reads SQLite databases to extract saved credentials, cookies, history and credit card records, decrypting protected data with CryptUnprotectData. It also targets a broad set of desktop cryptocurrency wallets, FTP clients and email clients, captures clipboard contents and optionally logs keystrokes. Stolen artifacts are written into a country/IP-named subfolder under %appdata%local, with USERINFO.txt containing system metadata.

Network behavior includes fetching the external IP from api.ipify.org and retrieving dynamic blacklist/configuration from pastebin.com, leveraging built-in cURL for transfers. After staging data locally, Bandit exfiltrates the collected information to the actor via Telegram channels; the operator-side processing is automated and replies with JSON-encoded responses to confirm receipt and parsing.

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint