By Sojun Ryu, The Readable
May 18, 2022 7:58PM KST
Cyber security company S2W recently published a report that explains the history of BlackGuard, a new info-stealer malware. This report is an extension of the report posted in April.
The BlackGuard operator, who is active on the dark web under the nicknames "BlackGUARD07" and "blackteam007," made the first promotion post in March 2021, but it was suspended due to not paying a deposit. The operator posted again on the XSS and BHF forum in 2022, and then started sales in earnest after making a promotion post.
According to S2W's analysis, BlackGuard has focused on cryptocurrencies that cybercriminals have been most interested in recently. BlackGuard collects not only cryptocurrency software wallets but also wallet extensions on browsers such as Chrome, Edge, and Edge Beta browsers, targeting a total of 47 wallets. In addition, it also steals system information, credentials from web browsers, accounts on messenger software, sensitive local files, VPN credentials, and FTP information. One unique aspect of the software is that it contains a list that includes specific domains, and it prioritizes whether information for each domain is collected.
The latest confirmed version of BlackGuard is v3.5, and compared to the previous version, the target list of web browsers, wallet extensions, Outlook, messenger software, VPN, and FTP software has been expanded. Unlike version v2.x, it is no longer exfiltrated via Telegram bot, and the information collected with the current BlackGuard version is transferred to an attacker's server built by the operator or client.
There have been two major updates since January 2022, priced at $50 for a one-month license and $700 for a lifetime subscription. The deal is mainly done through a Telegram channel and Jabber, and promotions are posted on the forums.
Sharp Criticism of Users on the Dark Web Towards BlackGuard
According to S2W's report, BlackGuard Stealer has recently been criticized by users on dark web forums. A user named "c0d3r_0f_shr0d13ng3r" posted an analysis of BlackGuard Stealer and claimed that it is actually doing something different from what is advertised. The user claimed that there was a fatal bug in the admin panel that manages the leaked information, which could allow someone to steal the log.
Users on the dark web and researchers at S2W have commented that source code from 44Caliber and StomKitty, which had already been released in the past, was found to have been used in BlackGuard. In addition, it was discovered that the web panel code of Evryal Stealer was also used for the BlackGuard Stealer's admin panel. The BlackGuard operator acknowledged these allegations, but the operator has since said that it is not a problem because he developed much of that code himself.
Despite BlackGuard's clarification, many users still say $700 is too much, and are asking him to make public how it was priced. One user said that the price of 500 rubles ($7.60) is reasonable for this level of performance, and another user requested a refund after the details of the vulnerability were disclosed.
It remains to be seen whether the cornered BlackGuard operator will acknowledge these criticisms and improve the program or ignore the complaints and develop a different stealer.
The cover image of this article was designed by Areum Hwang.
Sojun Ryu is a cybersecurity researcher for The Readable. He graduated from the “Best of the Best” next-generation security expert training program (BoB) at the Korea Information Technology Research Institute (KITRI) in 2013, and holds a master’s degree in information security from Sungkyunkwan University in Korea. He worked at KrCERT/CC for seven years, analyzing malware and responding to incidents. He is also one of the authors of "Operation Bookcodes," published by KrCERT/CC in 2020. Recently, Ryu has been focusing on threat intelligence, cybercrime, and advanced persistent threats (APT) by expanding into the deep, dark web with TALON, the Cyber Threat Intelligence group at S2W.