SquirtDanger malware steals cryptocurrency, passwords/files & takes screenshots
In a new study released on Tuesday (April 17th), the Unit 42 threat research team of Palo Alto Networks revealed that cybercriminals are using a new type of malware to conduct cyber attacks on a global scale. Based on the dynamic link library file (SquirtDanger.dll) detected during the attack activity, Unit 42 calls this malware “SquirtDanger.”
Unit 42 stated that SquirtDanger was written using C# (C Sharp, an object-oriented, high-level programming language running on the .NET Framework, released by Microsoft Corporation). Allows attackers to achieve a variety of malicious purposes, such as taking screenshots and stealing passwords stored in browsers, and even stealing cryptocurrencies.
For stolen browser passwords, SquirtDanger supports a variety of browsers, including Chrome, Firefox, Yandex Browser, Kometa, Amigo, Torch, and Opera.
For cryptocurrencies, SquirtDanger supports multiple currencies, including Litecoin, Bitcoin, Bytecoin, Dash, Bitcoin Lightweight Electrum, and Ethereum. Ethereum and Monero.
SquirtDanger’s strategy for stealing cryptocurrencies is similar to that used by another malware named “ComboJack,” which detects when the victim of the target has copied the cryptocurrency wallet address to the Windows clipboard and sets the address. Replaced by the address of the wallet held by the attacker to steal funds.
SquirtDange is mainly distributed through malicious advertisements that promote illegal pirated software. So far, Unit 42 has discovered a total of nearly 1277 malicious software samples related to 119 unique commands and control (C&C) servers in various activities. The victims are mainly located in France, the Netherlands, French Guinea and Russia.
In addition to the above-mentioned features, SquirtDanger also has many other malicious features, including delete itself, send files, clear browser cookies, list processes, kill processes, list drives, get directory information, download files, upload files, delete files and execute files.
When SquirtDanger successfully infects the device, it creates and executes a scheduled task called CheckUpdate. This scheduled task is configured to execute automatically every minute to get as much information as possible. When it communicates with the C&C server for the first time, it will try to get an additional module list to install to achieve all the functions mentioned above.
Unit 42 points out that SquirtDange was developed by a Russian hacker codenamed “TheBottle”. TheBottle has been active in various cybercrime forums around the world for many years and its purpose is to promote various malware developed by him.
During the investigation of SquirtDanger, Unit 42 found a self-promotional blog post written by TheBottle. In this article, TheBottle claims to be responsible for the development of multiple malware families, including the Odysseus Project, Evrial, and Ovidi Stealer.
Unit 42 emphasizes that since SquirtDanger is sold, its target of the attack is not limited to a specific industry or a specific region. Global individuals or organizations may be attacked by SquirtDanger. In Unit 42’s investigation, an African telecom company, a Turkish university, and an Internet service provider in Singapore have all become victims of SquirtDanger.
