A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information.
Bot mitigation company Kasada said the activity is designed to “exploit trusted criminal networks,” describing it as an instance of advanced threat actors “preying on beginner hackers.”
OpenBullet is a legitimate open-source pen testing tool used for automating credential stuffing attacks. It takes in a configuration file that’s tailored to a specific website and can combine it with a password list procured through other means to log successful attempts.
“OpenBullet can be used with Puppeteer, which is a headless browser that can be used for automating web interactions,” the company said. “This makes it very easy to launch credential stuffing attacks without having to deal with browser windows popping up.”
The configurations, essentially a piece of executable code to generate HTTP requests against the target website or web application, are also traded, or sold within criminal communities, lowering the bar for criminal activity and enabling script kiddies to mount their own attacks.
“The interest in the purchase of configs, for example, could indicate that the users of OpenBullet are relatively unsophisticated,” Israeli cybersecurity company Cybersixgill noted back in September 2021.
“But it could also be yet another example of the dark web’s highly efficient division of labor. That is, threat actors advertise that they want to buy configs because they don’t know how to script them, but because it’s easier and faster.”
This flexibility can also be a double-edged sword, as it opens up a new vector, only it targets other criminal actors who are actively seeking such configuration files on hacking forums.
The campaign discovered by Kasada employs malicious configs shared on a Telegram channel to reach out to a GitHub repository to retrieve a Rust-based dropper called Ocean that’s designed to fetch the next-stage payload from the same repository.
The executable, a Python-based malware referred to as Patent, ultimately launches a remote access trojan that utilizes Telegram as a command-and-control (C2) mechanism and issues instructions to capture screenshots, list directory contents, terminate tasks, exfiltrate crypto wallet information, and steal passwords and cookies from Chromium-based web browsers.
Targeted browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and Mincoin.
The trojan also functions as a clipper to monitor the clipboard for cryptocurrency wallet addresses and substitute contents matching a predefined regular expression with an actor-controlled address, leading to unauthorized fund transfers.
Two of the Bitcoin wallet addresses operated by the adversary have received a total of $1,703.15 over the past two months, which were subsequently laundered using an anonymous crypto exchange known as Fixed Float.
“The distribution of the malicious OpenBullet configs within Telegram is a novel infection vector, likely targeting these criminal communities due to their frequent use of cryptocurrencies,” the researchers said.
“This presents an opportunity for attackers to shape their collection to a specific target group and obtain other members’ funds, accounts, or access. As the old saying goes, there is no honor amongst thieves.”