New Variant of Credential-Stealing Browser Malware

Author Avatar

by

Posted on May 2, 2023

Want to interview Nick?

Contact

There’s a new addition to the cybercriminal toolbox. “Zaraza bot” is malware that steals login credentials from almost all types of browsers.

Zaraza means “infection” in Russian, and that’s exactly what the Zaraza bot delivers to computers. The malware scans through users’ browsers to find login credentials, which it successfully decrypts despite the double-encryption used by most browsers. The credentials are saved to an output.txt file, which is then shared to a Telegram server, on a channel used primarily by hackers. Telegram also serves as a command-and-control (C2) platform for Zaraza. The malware works on 38 different types of browsers, including those that are most popular like Chrome, Edge, and Opera.

Technical details about the Zaraza bot were published by uptycs, which discovered the malware.

Dangers of Zaraza Malware

Zaraza enables theft of a lot of data, making it an especially dangerous piece of malware. In allowing hackers to gain unauthorized access to victims’ accounts, it facilitates identity theft and many types of financial fraud. Attackers may use the stolen credentials themselves for these attacks, or they can sell the credentials on the dark web for others to misuse.

Zaraza Malware Propagation

Reports did not specify how Zaraza is distributed, but it is safe to assume that it’s via the usual ways of propagating malware – the phishing, malvertising, and social engineering methods that have been proven so effective for all kinds of attacks. Because Zaraza is being offered on a subscription basis, we can expect each attacker to promulgate attacks via their own favorite mechanisms.

Protecting Against Zaraza

There are several steps that can be taken to protect yourself and your business from Zaraza:

  1. Follow usual best practices about avoiding clicking on suspicious links or downloading suspicious files. User training can raise awareness and reduce the number of erroneous clicks, but cannot fully protect your business from the most clever phishing and social engineering attacks.
  2. Do not store sensitive login credentials in your browser. If the data is not there, they cannot steal it. Only rely on the browser’s password management for sites where security is not that important. For any financial or other sensitive sites, use a separate more secure password manager. Of course, “more secure” is key, since recent breaches have exposed weaknesses of some password managers that had been considered secure.
  3. Enable multifactor authentication. Passwords won’t allow cybercriminals to access your accounts if they also need an additional factor to login to the affected accounts.
  4. Use Remote Browser Isolation (RBI). With RBI, even if a user clicks on a malicious link or opens a weaponized attachment, the malware that’s triggered cannot infect their device or the network, since it is opened in an isolated container and never reaches the user’s device.
  5. Protect corporate apps and data from remote access via stolen credentials with Zero Trust Network Access (ZTNA). Look for a solution like ZTEdge, which has a clientless option for secure access from unmanaged devices.

Zero Trust and Credential Theft

Zero Trust technologies like ZTNA and RBI operate on the assumption that every website or file may be malicious, and therefore must be handled in a way that prevents infection and spread.

Because Zero Trust includes the assumption that breaches occur, ZTNA leverages microsegmentation and least privilege access to limit the resources and data a cybercriminal can access and exfiltrate, should they get in.

Zaraza bot is just the latest credential stealing malware to surface, but it certainly won’t be the last. As commercial availability of malware increases, cybercriminals will no longer need to be technologically sophisticated to successfully execute cyberattacks. With threats increasing, it is more important than ever to protect your organization and its distributed endpoints with a comprehensive Zero Trust solution like the ZTEdge Security Service Edge (SSE) platform.

Share this on:
Author Avatar

About Nick Kael

A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.

Recent Posts

“Operation Duck Hunt” Shuts Down QakBot Botnet

The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.

How GenAI is Supercharging Zero-Day Cyberattacks

Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.

Cybercriminals Disdain the Law, But Find Law Firms Attractive

Cybercriminals love the multiplier effect they get from attacking law firms: Hack in, and they get firm data PLUS juicy confidential client info.

More Posts