In a twist of irony, hackers are becoming the hunted, as a malicious campaign exploits the popular penetration testing tool OpenBullet to target budding cybercriminals. This cutting-edge assault weaponizes the tool’s configuration files, deploying a Remote Access Trojan (RAT) to siphon off sensitive information.
OpenBullet is an open-source penetration testing tool designed to automate credential stuffing attacks. By accepting configuration files tailored for specific websites, it can pair these with stolen passwords to document successful login attempts. Since its rise in popularity from April 2019, configurations, which are executable code snippets for HTTP request generation, have been readily available for sale in the darknet, making it accessible even for novice hackers or script-kiddies.
This current attack vector homes in on these inexperienced cybercrooks, luring them on hacker forums. Malicious configurations are disseminated through a Telegram channel, eventually leading victims to a GitHub repository where they inadvertently download a Rust-based dropper dubbed “Ocean”. This acts as a gateway, extracting subsequent malware payloads from the same repository.
Once in operation, a Python-based malware named “Patent” triggers the RAT. This Trojan uses Telegram as its command and control server, executing several malicious operations, including:
- Capturing screen snapshots.
- Displaying directory contents.
- Task termination.
- Stealing crypto-wallet information.
Pilfering passwords and cookie files from Chromium-based web browsers including Brave, Google Chrome, and Microsoft Edge among others.
The Trojan also doubles as a clipper, switching crypto recipient addresses with the hacker’s, leading to unauthorized funds transfers. Over the past two months, two such bitcoin wallet addresses managed by the malefactor accumulated a total of $1703, later laundered via the anonymous crypto-exchange Fixed Float.
Using Telegram to spread these tainted OpenBullet configurations showcases a novel infection method, particularly targeting the criminal world, which frequently deals in cryptocurrencies. Such targeted attacks enable cybercriminals to tailor their tools to a specific victim group, robbing both money and victim accounts.