Rising Stealer in Q1 2022: BlackGuard Stealer
Author: Jiho Kim | S2W TALON
Last Modified : 2022.04.01.
- BlackGuard Stealer, which collects and exfiltrates credentials and device information from infected PC, first appeared when the official seller posted a promotion article on the dark web forum in January 2022
- BlackGuard Stealer collects and exfiltrates not only credentials such as Browser user data, Local files, Crypto wallets, VPN accounts, Steam accounts, Discord tokens, FileZilla data, and Telegram session data, but also device information such as OS version, System information, IPv4, country, and screenshot from infected PC
- The collected information is stored in a temporarily created folder. After collecting information, the folder is compressed to a *.zip file and exfiltrated through Telegram API.
Introduction of BlackGuard Stealer
BlackGuard is one of the info stealers written in C#. It is mostly distributed through malicious software disguised as Windows Update file, Fake MS Office Installer, Computer cleaner software, etc.
Recently, the info stealer abused the description of a YouTube video by attaching the download link that contains the info stealer. In March 2022, a link to download a game hack program was posted in the YouTube video description, but when users downloaded and ran the software, 44Caliber Stealer was executed on the users’ PC.
- Reference: https://asec.ahnlab.com/en/32499/
- YouTube link: https[:]//www[.]youtube[.]com/watch?v=YI8rJhQLsfg
- Malware download page: https[:]//anonfiles[.]com/J0b03cKexf
BlackGuard Stealer, which is currently being distributed, is forked from 44Caliber Stealer. Both BlackGuard and 44Caliber use the same method to collect credentials and device information. In addition, they store them in a temporarily created folder and compress them to the *.zip file. But while BlackGuard uses Telegram’s sendDocument API, 44Caliber uses Discord Webhook API to exfiltrate.
Timeline of BlackGuard Stealer
Since it first appeared on the dark web forum in January 2022, BlackGuard Stealer has been updated its builder and web panel. In particular, considering that the proportion of samples discovered from March 2022 is increasing, it can be seen that BlackGuard Stealer is currently active.
The most recent major update was on February 9, 2022. At that time, Wallet extensions of Chrome and Edge, Edge Beta were added, and the types of collected information became more diverse.
BlackGuard Stealer on DDW
The user with the nicknames “BlackGUARD07” and “blackteam007” posted a Stealer promotion article in Russian-based forums, XSS and BHF, in January 2022. BlackGuard Stealer has different prices and additional services depending on the period of use.
BlackGuard Stealer’s Pricing Policy
- $200 (for a month)
— Build cleaning for an additional payment of $50
- $700 (forever)
— All updates for free
— Build cleaning for free
The official seller contacts buyers through Telegram Channel and Jabber. Both are only used for sales and inquiries, and announcements and updated information are posted on the forums.
BlackGuard Stealer Official Seller’s Contact
- Telegram: @blackwalter
- Jabber: firstname.lastname@example.org
1. Sample Information
- File Name: Soft.exe
- File Type: PE32 executable .NET assembly
- File Size: 1.18 MB
- Compiled Date: 2055–07–22 09:06:25
- MD5: eb6c563af372d1af92ac2b60438d076d
- SHA256: 67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71
2. BlackGuard Stealer Execution Flow
- When the loader is executed, BlackGuard Stealer is dropped and executed.
- Help & Config Data are decoded and then used for collecting and exfiltrating credentials and device information.
- Anti Debugging: Checks the existence of DnSpy, a tool used for decompiling .NET assembly, and whether it is currently being debugged.
- Collects credentials and device information from infected PC and stores them in the ChikenDir folder specified in Help Data.
- Compresses ChikenDir to the zip file.
- Exfiltrates the zip file through Telegram API.
3. Decode Help & Config Data
In the BlackGuard Stealer, the data used for collecting and exfiltrating credentials and device information are hard-coded. Help Data is used to collect and includes system directory paths, the ChikenDir folder path, and device information. Config data is mainly used to exfiltrate collected information through Telegram API and includes Telegram Bot Token, Chat ID, and keywords for collecting files. Most of the data inside these classes are base64-encoded and gzip-compressed.
(*Help Data and Config Data are described in Appendix.A.)
4. Anti Debugging
Before BlackGuard collects credentials and device information, it uses Anti Debugging methods. It detects the decompiler by checking if the “dnSpy.xml” file exists, and uses “Sleep()” and “DateTime.Now.Ticks” to determine whether it is being debugged.
5. Collect Credentials and Device Information
BlackGuard Stealer collects Browser user data, Local files, Crypto wallets, VPN, Steam, Discord, FileZilla, Telegram, system information, and screenshot. Every time each piece of information is collected, the number of information is counted and stored separately. The collected data stored in the ChikenDir folder is shown in the figure below.
In the Browsers folder, each browsers’ user data is stored. A subfolder is created for each type of browser, and the collected user data is saved as *.txt files in each folder. While Chrome and Edge browsers’ user data includes CC, Password, Cookie, History, Downloads, and AutoFill, and Gecko-based browsers additionally collect logins.json, which contains login information, key3.db, and key4.db.
After storing the collected user data in each browser’s folder, BlackGuard checks and transfers whether a specific domain is included among the *.txt files.
[Domain Check List]
(*Target browser list is described in Appendix.A.)
BlackGuard browses Desktop, MyDocuments, and USERPROFILE\source path to steal specific files. It copies files with a file size of less than 2.5MB and has an extension such as *.txt, *.config, and *.rdp to the Files folder.
In the Wallets folder, BlackGuard creates a subfolder for each wallet type and copies the wallet.dat file.
[Crypto Wallet List]
- XMRcoin (Monero)
BlackGuard collects three types of VPN: software ProtonVPN, OpenVPN, and NordVPN. The files mainly collected by BlackGuard are user.config and ovpn file, which contains the private keys. In the case of NordVPN, only the username and password in the ovpn file are copied and stored in accounts.txt.
First, check if Steam is installed on the infected PC. If Steam is installed, BlackGuard copies Steam-related information such as the name and metadata list of installed games, user account data, configuration data, ssnf files containing authorization information, and *.vdf file which includes resource data.
BlackGuard checks if *.log and *.ldb files are included in the directory list related to Discord. And if so, it copies Discord Token data in the files and Discord Storage folder, then stored in the Discord folder.
To collect FTP information, BlackGuard browses the FileZilla installation path and copies the host, port number, username, password from recentservers.xml.
BlackGuard searches the installed path of the process containing “Telegram” to collect Telegram Session information. If it finds the path where Telegram cache, user data, and the files named “usertag”, “settings” and “key_data” are stored, copies and stores them in the Telegram folder.
Device information is stored in information.txt. It includes OS Version, CPU architecture, malware file location, screen size, current date and time, HWID, IPv4, country, and malware execution time.
BlackGuard takes a screen capture of the current monitor according to the screen size and saves it as Screenshot.png.
Categorizing the collected information by type
6. Exfiltrate Information
Compress the folder to the *.zip file
BlackGuard compresses the ChikenDir folder that contains collected information to the zip file and exfiltrates it to the Telegram C2 Server. The name format of zip file is [HWID]([Current Date]).zip
Telegram Bot API
BlackGuard sets up Telegram Bot URL to exfiltrate the zip file and send it using sendDocument API with POST method. The data sent together includes the number of collected information for each type, the collected target software list, and the list of detected target domains. The message body sent to the Telegram Bot is as shown below.
Telegram Bot information used in this sample is as follows.
- username: @Zeusdarknet_bot
- Chat ID: 1068601339
- Token: 1068601339:AAGUm6n8fS0wwbMhDzm8XXbjUYb6Vb9–64Q
- BlackGuard Stealer has been active on the dark web forums since it appeared in January 2022.
- Considering the type of information collected by BlackGuard and the recent status of distribution, there is a possibility that it will develop into high-impact info stealers such as Redline, Vidal, Raccoon, and Ficker.
Appendix. A: Configuration Data & Browser List
dotnetbrowser-chromium, Chrome, Opera Software, Opera Software GX Stable, Firefox, ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Sleipnir5, Citrio, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, 360Browser, Maxthon3, K-Meleon, Sputnik, Nichrome, CooCoc, Uran, Chromodo, Brave-Browser
Appendix. B: MITRE ATT&CK MATRIX
Appendix. C: IoCs