Security News > 2023 > March > BlackGuard stealer now targets 57 crypto wallets, extensions
A new variant of the BlackGuard stealer has been spotted in the wild, featuring new capabilities like USB propagation, persistence mechanisms, loading additional payloads in memory, and targeting additional crypto wallets.
BlackGuard was first spotted by Zscaler in March 2022, who reported that the malware was sold to cyber criminals on Russian-speaking forums as a MaaS for $200/month or a lifetime price of $700. The new stealer appeared shortly after the original Raccoon Stealer MaaS operation shut down, enjoying good adoption rates while offering extensive app-targeting capabilities.
The targeting scope of BlackGuard remains extensive, attempting to steal cookies and credentials stored in web browsers, cryptocurrency wallet browser extension data, desktop crypto wallet data, information from messaging and gaming apps, email clients, and FTP or VPN tools.
First, a crypto wallet hijacker module replaces cryptocurrency addresses copied to the Windows clipboard with the threat actor's address, hoping to divert cryptocurrency transactions to their own wallets.
In additon to these features, BlackGuard is now targeting 57 cryptocurrency browsers extensions and wallets, attempting to steal their data and drain crypto assets.
Some of the targeted dedicated wallets are AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus crypto, and LiteCoinCore wallets.