A new variant of the BlackGuard thief has been spotted in the wild, with new features such as USB propagation, persistence mechanisms, loading additional payloads into memory, and targeting additional crypto wallets.

BlackGuard was first spotted by Zscaler in March 2022which reported that the malware was being sold to cybercriminals on Russian-speaking forums as MaaS (malware-as-a-service) for $200/month or a lifetime price of $700.

The new thief appeared shortly after the original Stopping Raccoon Stealer’s MaaS operationenjoying good adoption rates while offering extensive app targeting capabilities.

This new version of the BlackGuard thief was discovered by analysts at AT&Twho warn that the malware is still very active, its authors constantly improving it while keeping the cost of the subscription stable.

New features of BlackGuard

BlackGuard’s targeting reach remains extensive, attempting to steal cookies and credentials stored in web browsers, cryptocurrency wallet browser extension data, desktop cryptocurrency wallet data , information from messaging and gaming apps, email clients, and FTP or VPN tools.

What’s most interesting about the latest version are the new features introduced that make BlackGuard a much more powerful threat.

First, a crypto wallet hacker module (clipper) replaces cryptocurrency addresses copied to the Windows clipboard with the address of the threat actor, hoping to hijack transactions from cryptocurrency to their own wallets.

The clipper has hard-coded addresses for Bitcoin, Ethereum, Monero, Stellar, Ripple, Litecoin, Nectar, Bitcoin Cash, and DASH, so it supports a number of cryptocurrencies.

The second new feature is BlackGuard’s ability to spread via USB drives and other removable devices and automatically infect any new hosts it reaches.

The third addition is the malware’s ability to download additional payloads from the C2 server and execute them directly in the memory of the hacked computer using the “process dump” method, thus avoiding the detection of audiovisual tools.

The fourth new feature is BlackGuard’s ability to add itself under the “Run” registry key, thus gaining persistence across system reboots.

Finally, a feature copies malicious files to each folder in the C:\ drive, giving each copy of the files a random name.

In addition to these features, BlackGuard now targets 57 cryptocurrency browser extensions and wallets, attempting to steal their data and drain crypto assets. In August, when Zscaler analyzed the malware, it had only stolen data from 45 crypto-related extensions and wallets.

Some of the targeted extensions include Binance, Phantom, Metamask, BitApp, Guildwallet, Slope Wallet, Starcoin, and Ronin wallet extensions. Some of the targeted dedicated wallets are AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus crypto and LiteCoinCore wallets.

AT&T analysts comment that this duplication system is more of a hindrance than a benefit. However, carriers may have implemented this system to make it more difficult to remove the malware.

In conclusion, the latest version of BlackGuard demonstrates the continued evolution of malware that competes in the MaaS space, adding mostly significant features that pose even greater risk to users.

To limit the risk of BlackGuard infections, avoid downloading executables from untrusted websites, do not launch files that arrive as email attachments from unknown senders, and maintain your system and up-to-date audiovisual tools.