New ‘Bandit Stealer’ malware siphons data from browsers, crypto wallets

Cybersecurity researchers identified a new information-stealing malware that targets browsers and cryptocurrency wallets.

Although the malware, called Bandit Stealer, has only targeted Windows systems so far, it has the potential to expand to other platforms such as Linux. What makes Bandit Stealer particularly dangerous is that it’s difficult for victims to detect, researchers at Trend Micro wrote in a report published Friday.

For example, Bandit Stealer can bypass Windows Defender, a security tool developed by Microsoft to protect users from various types of threats, including viruses, malware and spyware.

Bandit Stealer developers are continuously updating the malware's features, according to advertisements circulating in the malware community: “Get ready, because a major update is coming next week that will blow other stealers out of the water,” it said.

Trend Micro researchers have not identified any active hacking group associated with the malware, and have not determined how the group may use the stolen information.

However, the group and its customers can potentially use the malware for activities like identity theft, data breaches, credential stuffing attacks and account takeovers, according to Trend Micro.

Malware capabilities

Bandit Stealer was developed using the Go programming language, which is widely used and developed by Google. Go allows the malware to run on multiple operating systems and better avoid detection, Trend Micro said.

Although Bandit Stealer advertises itself as “the most advanced info-stealer on the market” it has many similarities with other stealers, including Creal Stealer, Luna Grabber, Kyoku Cookie token stealer and Pegasus Stealer, according to Trend Micro.

It targets a wide range of internet browsers and can steal various types of victims’ data, including usernames, current IPs, hard drive information, detailed information about the victim's computer and the country code associated with an IP address.

It can also compromise the security of a victim’s Telegram messaging app, which is popular among cryptocurrency enthusiasts. Once Bandit Stealer gains unauthorized access to Telegram, it can impersonate the compromised user and potentially deceive others; the attackers can also access private messages and data associated with the compromised Telegram account.

Bandit Stealer is persistent — it is executed every time the infected computer starts up or restarts, meaning that even after a system shutdown, the malware can still operate and steal data from the victim's system.

According to Trend Micro, victims can unwittingly download Bandit Stealer while visiting malicious websites or through phishing emails.

The malware opens a Word document on a victim’s computer and deceives the user into opening a seemingly harmless file. One of the documents obtained by Trend Micro was a memo expressing concerns about the victim’s job performance.

Bandit Stealer can also pretend to be a fake installer for a program called Heartsender, which is typically used for automated email sending in advertising and marketing.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.