- BlackGuard Malware can highly impact crypto users as it can steal wallets and their info from crypto browser extensions. This malware is currently being sold in a Russian Hacking Forum.
Blackguard Malware supports stealing wallets and other sensitive files related to crypto wallet applications including sensitive data in files such as wallet.dat that contains the address and the private key to access this address and other data. This stealer also targets crypto wallet extensions installed in Chrome and Edge with hardcoded extension IDs.
BlackGuard Malware has impacted all major Cryptowallets like AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, and Wassabi.
BlackGuard impacted has also impacted all major Cryptowallet Extensions like Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, and Jaxx.
While conducting routine investigation, the Zscaler Team came across BlackGuard Malware which was listed for sale. As of now, it is available as malware-as-a-service for a one-time fee of $700 and a monthly fee of $200. It is capable of stealing information from crypto wallets, VPNs, messengers, FTP credentials, stored browser credentials, and email clients.
BlackGuard is a.NET stealer that also includes a crypto packer. When executed, it scans for and terminates antivirus and sandbox processes. The stealer contains a hardcoded array of bytes which is converted to ASCII characters at runtime, followed by base64 decoding. This enables it to avoid detection by antivirus and string-based detection.
To prevent debugging attempts, BlackGuard employs
user32!BlockInput(), which can block all mouse and keyboard events. After all the tests have been performed, the stealer function is invoked, taking data from various browsers, software, and hardcoded directories.
After gathering the data, BlackGuard creates a .zip file containing all of the files and delivers it to the C2 server through a POST request, along with system information such as the Hardware ID and country.
BlackGuard is becoming a more dangerous threat as it is improved and gains a strong reputation in the hacking community. We recommend users to use malware prevention tools to stay safe, don’t use the same passwords for all the websites, use multi-factor authentication and void opening suspicious unknown files. Credits to all data used here belongs to Zscaler Team.