This new malware really goes the extra mile when it comes to infecting your devices

2 hours ago 1

(Image credit: Shutterstock) (Image credit: Shutterstock)

Cisco Talos finds a new malware framework called PS1Bot
The framework is distributed through malvertising and SEO poisoning
PS1Bot can serve as an infostealer, keylogger, screen grabber, and more

Security researchers Cisco Talos have discovered a brand new malware framework which they say really goes the extra mile to infect a device.

PS1Bot can log keystrokes, grab cryptocurrency data, and persist on the compromised endpoint, among other things, the company's report says.

Complementing PS1Bot is a malvertising campaign, as well as SEO poisoning, which tricks unsuspecting victims into downloading the malware. Cisco Talos did not say what the theme of these ill-intentioned ads and pages are using, who the usual victims are, or how successful the campaign is.

Flexible and dangerous

They did say that whoever downloads the ZIP file can expect a JavaScript payload that acts as a dropper and pulls a scriptlet from an external server.

That scriptlet writes a PowerShell script to a file on disk and runs it. In turn, the PowerShell script contacts the threat actor’s command-and-control (C2) server, grabbing additional commands that transform the malware into whatever is necessary at the moment.

There are many things the framework can be turned into. It can serve as a reconnaissance tool, sharing with the attackers details about antivirus programs running on the computer, as well as basic system information.

It can serve as a screen capture or keylogger tool, relaying screenshots and keystrokes to the C2. It can also work as a wallet grabber, stealing cryptocurrency wallet information. Finally, it can persist on the device via a PowerShell script that launches automatically upon restart.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

"The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems," Cisco Talos said.

"The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed."

This dangerous new malware is hitting Windows devices by hiding in games
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article