BlackGuard Password Stealer Gains Traction on Hacker Forums

Information security experts have taken notice of a new piece of malware designed to steal sensitive data: BlackGuard. This infostealer is being sold on various darknet marketplaces and forums for $700 for a lifetime license or $200 per month.

Analysts at Zscaler have already examined BlackGuard, which has surged in popularity following the unexpected shutdown of its competitor, Raccoon Stealer. According to Bleeping Computer, BlackGuard was first spotted on Russian-language hacker forums in January 2022, initially distributed privately while still in the testing phase.

What BlackGuard Targets

Like other modern infostealers, BlackGuard is capable of stealing data from almost any application that handles confidential user information, with a particular focus on cryptocurrency assets. Once a system is infected, BlackGuard searches for the following applications to extract user data:

• Browsers: Passwords, cookies, autofill data, and browsing history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo, Amigo, Torch, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Edge, BraveSoftware, and others.
• Browser Wallet Extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx.
• Cryptocurrency Wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi.
• Email: Outlook.
• Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord.
• Other Applications: NordVPN, OpenVPN, ProtonVPN, Total Commander, FileZilla, WinSCP, Steam.

The stolen information is packaged into a ZIP file and sent to the attackers’ command-and-control server via a POST request, along with a system profile report that assigns a unique identifier to the victim’s hardware.

Evading Detection

BlackGuard’s evasion techniques are still under development, but some mechanisms to avoid detection and analysis are already in place. The malware is packed using a crypter, and its code is obfuscated with base64 encoding. Additionally, BlackGuard can detect any antivirus software present on the system and attempts to terminate their processes to disable them.

Another notable feature is that BlackGuard checks the victim’s IP address. If the infected system is located in Russia or other CIS countries, the malware will stop running and exit.

Expert Insights

Daria Romana Pop, a threat analyst at KELA, shared the following thoughts with Bleeping Computer:

“The BlackGuard stealer was launched in early 2021, and cybercriminals are constantly testing the capabilities of such malicious tools, often demanding improvements and higher quality from the developers. KELA has seen several discussions where users complained that BlackGuard was not able to properly evade detection. As in any other business, the developers promised to release an updated version as soon as possible.”