Heimdal
article featured image

Contents:

A new variant of the BlackGuard stealer has been discovered in the wild, with new features such as USB propagation, persistence mechanisms, the ability to inject more payloads into memory, and the ability to target more crypto wallets.

BlackGuard’s New Features

BlackGuard continues to target a wide range of targets, including cookies and credentials saved in web browsers, data from desktop and browser cryptocurrency wallet extensions, data from chat and gaming apps, email clients, and data from FTP or VPN tools.

Different from the prior itineration of the stealer, this new version of BlackGuard comes enhanced with new features that make it a much more potent threat.

One of them is a crypto wallet hijacker (clipper) module that replaces cryptocurrency addresses copied to the Windows clipboard with the threat actor’s address, redirecting transactions to their own wallets. The clipper supports a number of cryptocurrencies and contains hardcoded addresses for Bitcoin, Ethereum, Monero, Stellar, Ripple, Litecoin, Nectar, Bitcoin Cash, and DASH.

BlackGuard also comes now equipped with the ability to propagate via USB sticks and other removable devices, and automatically infect any new hosts it reaches.

The malware is now able to download additional payloads from the C2 server and execute them directly in the memory of the breached machines through the “process hollowing” method, thus evading detection.

BlackGuard is now able to add itself under the “run” registry key and gain persistence between system reboots.

Last but not least, a feature copies malicious files with unique names to each folder on the C:\ disk.

More Cryptocurrency Extensions and Wallets Targeted

As per BleepingComputer, the previous version of the BlackGuard stealer was capable of stealing data from 45 crypto-related extensions and wallets. Now, that number has increased to 57. Taking this into consideration alongside the added capabilities, BlackGuard has become a far more dangerous tool.

Binance, Phantom, Metamask, BitApp, Guildwallet, Slope Wallet, Starcoin, and Ronin wallet extensions are a few of the targeted ones. The AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus crypto, and LiteCoinCore wallets are some of the targeted specialized wallets.

The most recent version of BlackGuard shows how malware that competes in the MaaS (malware-as-a-service) market is always evolving, introducing generally useful features that increase user danger.

To keep the risks of BlackGuard infections away, make sure you avoid downloading executables from untrustworthy sources, do not launch files coming as email attachments from unknown senders, and keep your system and AV tools updated.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE