Zaraza bot malware uses Telegram messenger for control and management.
A new malware named Zaraza bot, which is capable of stealing user credentials is being sold on Telegram. The malicious tool uses the messenger as a management and control server, according to security researchers from Uptycs.
According to experts, the Zaraza bot steals passwords from popular web browsers (Google Chrome, Microsoft Edge, Opera, and others). The software itself is a 64-bit binary file compiled with C#.
When the Zaraza bot gets on the victim’s device, it extracts all the credentials from various sources including emails, banking apps and websites, cryptocurrency wallets, and other sensitive resources. After that, it sends credentials to the attacker. In addition to logins and passwords, the program is capable of taking screenshots of the active window. Despite the fact that web browsers store all passwords in encrypted form (v80 password signature and Windows DPAPI feature), this malware is able to decrypt them.
Zaraza bot authors distribute malware via the Telegram channel popular among cybercriminals. The attackers offer the software on a subscription basis. According to Uptycs specialists, access to the Telegram bot for subscription is limited, so they failed to interact with the Zaraza bot.
A connection to Russia is very likely
Zaraza bot’s connection to Russia is highly possible. Besides the fact that the word “zaraza” apparently comes from the Russian language and means “infection,” the researchers also found other evidence. According to the specialists, during the analysis of HTTPS packets, the data of the Russian user’s account was found. This indicates this user’s connection to the administrator of the Zaraza bot or cybercriminal using it.
The method of spreading the malware is unknown, but there have been previous cases of its spread through infected ads and social engineering. The first reports of Zaraza bot infections were received during a Microsoft Threat Intelligence analysis of a phishing campaign targeting accounting firms and tax authorities.