- Jul 22, 2014
- 2,525
FortiGuard Labs has been monitoring a new release of the malware known as Predator the Thief, labeled as version 3.3.4. After our last article about Predator the Thief, we have continued monitoring this malware family. There have been small development differences between each minor version, making this latest version very different from version 3.0.8 mentioned in our last article.
In early December we observed a new Predator the Thief campaign using version 3.3.3. We analyzed the new campaign, and found that it is both stealthier and more complicated than its predecessors. In addition, it was upgraded again to version 3.3.4 on Christmas Eve. In this report we will quickly analyze its latest set of capabilities.
Recent Campaign
...
...
Conclusion
In this recent Predator the Thief malware and campaign, a simple but tricky way to abuse legitimate AutoIt software to execute the payload of Predator the Thief has been added. In addition, the whole program flow has been changed. More anti-analysis features are used, and the configurations are more detailed and complex. It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2. This makes it more difficult for analysts to analyze its damage to the victim system. It also has added new features to execute its additional modules and second stage malware in different ways.
...
...
VT of encrypted MW 1/56
In early December we observed a new Predator the Thief campaign using version 3.3.3. We analyzed the new campaign, and found that it is both stealthier and more complicated than its predecessors. In addition, it was upgraded again to version 3.3.4 on Christmas Eve. In this report we will quickly analyze its latest set of capabilities.
Recent Campaign
...
...
Conclusion
In this recent Predator the Thief malware and campaign, a simple but tricky way to abuse legitimate AutoIt software to execute the payload of Predator the Thief has been added. In addition, the whole program flow has been changed. More anti-analysis features are used, and the configurations are more detailed and complex. It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2. This makes it more difficult for analysts to analyze its damage to the victim system. It also has added new features to execute its additional modules and second stage malware in different ways.
...
...
VT of encrypted MW 1/56