Zaraza Bot: New Malware Uses Telegram for Command & Control

The Zaraza bot is a new type of malware that steals login information and uses Telegram as its command and control. This malware targets a wide range of web browsers explicitly and is being distributed on a popular Russian Telegram channel for hackers.

Researchers found that the Zaraza bot is a 64-bit binary file created using C#. It targets up to 38 web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. Additionally, it can capture screenshots of the active window.

Cybercriminals offer the Zaraza bot as a subscription-based commercial tool. The attackers’ distribution method is unknown, but they typically employ various methods, including malvertising and social engineering.

After infiltrating the system, the malware collects login information from high-value targets such as online banking, cryptocurrency wallets, email accounts, and other important websites.

Attackers can use this stolen data to carry out malicious activities like financial fraud, identity theft, and gaining unauthorized access to personal and business accounts.

GuLoader Campaign and the Recent Increase in Malware Distribution Activities

Researchers revealed a GuLoader (CloudEyE) phishing email campaign targeting the financial sector around the same time the Zaraza bot was found. In this campaign, attackers used tax-themed lures to deliver information stealers and remote access trojans (RATs) to recipients.

The discovery of the Zaraza bot and GuLoader coincides with the increased use of techniques such as malvertising and search engine poisoning to spread malware. These techniques involve tricking users into downloading fake installers containing stealer payloads.

YARA Rule

rule Uptycs_Zarazabot_v1
{
    meta:
        malware_name = "Zarazabot"
        description = "Zarazabot is a credential stealer that is capable of stealing login credentials from web browsers."
        author = "Uptycs Inc"
        version = "1"
        

    strings:
        $string_1 = "Ya Passman Data" ascii wide
        $string_2 = "GoogleChromeUser Data" ascii wide
        $string_3 = "MicrosoftEdgeUser Data" ascii wide
        $string_4 = "BraveSoftwareBrave-BrowserUser Data" ascii wide
        $string_5 = "encrypted_key" ascii wide
        $string_6 = "FromBase64String" ascii wide
        $string_7 = "" ascii wide
        $string_8 = "DownloadString" ascii wide
        $string_9 = "CopyFromScreen" ascii wide
        $string_10 = "output.txt" ascii wide
        $string_11 = "Passwords.txt" ascii wide
        $string_12 = "Screen.jpg" ascii wide

    condition:
        all of them
}

Indicators of Compromise (IoC)

Bot Binary Hashes:

MD5: 41d5fda21cf991734793df190ff078ba
SHA-1: b50a8e2a7998e17286d2e18d1cf3f7e4e84482c6
SHA-256: 2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125

URL:

https[:]//t[.]me/zarazaA_bot
149.154.167[.]220

Staying Up to Date on Emerging Trends with SOCRadar

SOCRadar is a monitoring service that keeps track of threat actors and malware. It provides essential information to help you protect your organization from potential threats. The Threat Actor/Malware tab is updated regularly with the latest information on threat activities and indicators of compromise.