Predator the Thief

Predator the Thief is an information stealer, meaning that it is a malware that steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information as well as retrieve payment data from cryptocurrency wallets.

Type
Stealer
Origin
ex-USSR
First seen
1 July, 2018
Last seen
29 May, 2020
Global rank
19
Week rank
29
Month rank
33
IOCs
3693

What is Predator the Thief?

Predator the Thief is an information stealer type malware — a virus used by attackers to collect information from infected machines. Predator trojan can steal passwords, information from crypto wallets, access the camera to collect visuals of a machine owner and more.

Like a lot of other malware from this class, Predator the Thief is a somewhat basic program that hasn’t changed much since it’s the first version that was developed by a user named Alexuiop1337 around July of 2018. Bearing this in mind, this malware does not pose a significant threat to most corporations with adequate cybersecurity measures but can devastate careless private users.

General description of Predator the Thief

Researchers believe that Predator the Thief was developed by Russian speaking malware actors as it mostly appears for sale on Russian forums where the malware could be obtained for a ridiculously low price of around $30. At the moment of publication, the price has risen to $150. With every purchase clients obtain a builder and everything they need to host attacks. Malware authors themselves are known to distribute the builder but haven’t been witnessed generating any direct attacks.

The malware was first promoted by an individual with an alias “Alexuiop1337” who is still actively spreading information about the virus. However, at one point he has taken up another name — “Kongress_nlt”. There is also a known telegram user “sett9” who is affiliated with the operation and could be the “Kongress_nlt” himself. It is known that “sett9” is active on Telegram. Furthermore, one can follow the latest news concerning Predator on a dedicated telegram channel “@PredatorSoftwareChannel”, which lists all updates to the malware.

And the authors do in fact frequently update the malware and introduce new functions as well as undetectable samples to avoid discovery. In addition, they are willing to set up backend administration cabinets for clients for an extra fee. Notably one of the updates has reworked the code from the ground up to make Predator what they call “fileless”. This means that when running, the malware doesn’t leave any files on an infected machine, making it that much more difficult to detect it. This allows the stealer to operate stealthily under the hood of a clueless victim and inflict more damage over time as more and more potentially sensitive data is getting stolen.

When it comes to data-stealing, concerning browsers Predator the Thief focuses mainly on Chrome, Opera and Firefox-based programs and uses “industry-standard” techniques to do its job. The malware can also mess with wallets for the following cryptocurrency:

  • Ethereum
  • Multibit
  • Electrum
  • Armory
  • Bytecoin
  • Bitcoin
  • And others…

As well as pull data from Filezilla and WInFTP. Another trick that predator has up its sleeve is an anti-VM check that instantly terminates the execution if the malware detects that it is being launched on a Virtual Machine. This feature is there to complicate the analysis as much as possible and slow down research.

However, despite these functions and although Predator can steal data from a good number of sources, it is still considered a relatively primitive malware compared to some of the other stealers out there. Not surprisingly for its well affordable price. However, while the punch that it packs may not be enough to shatter the defense of most modern large scale corporations, small businesses and individuals can still suffer serious damage from Predator attacks.

Predator the Thief malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Predator the Thief, allowing to examine it in a convenient and safe environment.

process graph of predator the thief execution

Figure 1: Displays the dynamic graph of processes generated by the ANY.RUN malware analyzing service.

text report of the predator the thief analysis

Figure 2: Even more information about the execution of malware can be found in this customizable text report generated by ANY.RUN.

Predator the Thief execution process

Predator's execution process is quite simple and straightforward. After the stealer starts execution it instantly begins stealing information from the system. Stolen information is then being written into files which are later compressed into a single archive. After that Predator sends the compressed file to its Command And Control server. After the file is sent malware terminates the execution and sometimes deletes itself.

Distribution of Predator the Thief

Predator trojan gets into the machines of its victims disguised as a harmless document. It may enter the machine in a .ZIP file which contains an executable disguised as a document or useful program with a name that tricks the potential victim into interacting with it.

In other cases, the malware utilizes the vulnerability in the UNACEV2.dll library of WinRAR. In this case, the victim is being presented with multiple .PNG the goal of which is to hide the fact that malicious file is placed in the startup folder which will be executed with the next system reboot or launch. Also, a common method of Predator The Thief distribution is through links to legitimate websites such as cdn.discordapp.com, raw.githubusercontent.com, and others.

How to detect Predator the Thief using ANY.RUN?

Some malware creates files in which it named itself. Often you can find such info about Predator the Thief using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the "Information.txt" file.

predator the thief static discovering

Figure 3: Static discovering of the file "Information.txt" created by Predator the Thief

Summary

Predator the Thief may not be the most complex information stealer on the planet. It is also one of the cheapest options currently on the market. Despite that, the authors of this malicious program show a strong dedication to their business and spend a lot of time and energy producing meaningful updates, marketing their creation in underground communities and providing set-up services, building admin panels upon request. This above all leads to the fact that Predator is becoming not only more and more popular stealer, but also dangerously accessible.

Bearing in mind that most attack vectors involved documents structured around business topics, this puts small company owners at the biggest risk, since cyber defense is sometimes lacking in smaller companies.

To help the situation and make this threat less dangerous, cybersecurity researchers can use the tools that ANY.RUN malware hunting service provides to professionals and students to crack the code of Predator the Thief. ANY.RUN streamlines the malware analysis process and enables to complete research projects faster and more efficiently without compromising the quality of results. Hopefully, together we will mitigate the threat posed by Predator and other similar information stealers.

IOCs

IP addresses
45.95.168.70
199.59.242.153
5.79.66.145
185.212.130.9
103.224.212.222
141.8.192.151
92.53.96.228
81.177.135.171
141.8.192.40
141.8.193.236
141.8.192.46
185.178.208.129
5.101.152.115
104.31.76.78
88.99.251.199
45.147.230.39
141.8.192.58
145.14.145.4
185.176.43.82
185.50.25.50
Hashes
8eff93e3d8efcb5ca16c7e3bb24d78b92a56a5e06fb1898934a43d407bdb4904
619a4c0ea3ac0e58c618ef26a8836a75159159be06d2455399bb48d4d880e4b3
94dde0ffb5eb08622e67873207063be7335bb3344c17b59e8e5f618b9841f76c
23af71df84a9da4bf1c6dab5df41170d1b7d3e4bad3a5c7c380e210295876ef9
816c8be64499e4b28809d153ee2a642a32d6a9f43cc8740f5172860aa8812611
05475fe51de87538f94e1e19f1196d91c947ce7ece559c5c23e57cd34873c310
be2b49cbf58fe7d9ac1b6cd3085d410e9a2676e0f8a22df66b6b0f7fe8a0df84
3e00dda7b13f772d4c8f9399911de7640c7c789c7653fd66793caed991819864
1b4aab915673d324273d407d1089679699d12b66891d2f51b0339aa9455907ac
d3e9f13661594f69e5ed20e381108125c1ed9cbd18a6cc6fa58b78f98a450430
d99123d9183b0da33e420d25092740930f44e332f17642a6b3850634af0b0ab0
50b79c710b9d1804abc46d3270ca8499fe46d77f8e4c58ca1a1c88a976f07a45
2ebe5e2b05481ccd08f3f0b63153c9560acb1dcdd6c78f508ee9a30b9dfb4c6f
859b725327cd05396e9781fb5ccac36f35ce008e9b579910ee6ce0f32eb4b9ae
0eb012dd983584bbc764d2b5a32691fb7968012faf25873359455ab238dcf2f8
d7471590e788b0fa69ef5cc8c7d6cab1df9308478a715a1c50a2615c0d737e65
dfbab07394086d8e060def3ec3d728dc539cdbe41b763c4d83c0ff524316c169
cb621a50eab42688044a2bf2054f179ee2860d65a2f669eeb657b545bd4bbf71
c3ef22a2e56468f0bf6d9fc8d5b95b36934a61948764c974516c1d834e26d650
d92c0876a21a455298a50d18a7f0044bab955f214faa7766f35e7080a39afd63
Domains
new.kommanditgesel.icu
albaen-it.eu
albaen-it.eu
appareluea.com
www.appareluea.com
noreply-remmittance.com
elx01.knas.systems
majul.com
zebi.zzz.com.ua
fant0maz.kl.com.ua
zebi.kl.com.ua
dmehnpbxrkbiepyylgdcwrcjimxnfsrbgravivgbannnpnubawpdvekzbdbuqrd.zzz.com.ua
hellhoundbog.zzz.com.ua
mybestdomen.zzz.com.ua
panelhost.zzz.com.ua
raifu.zzz.com.ua
raifu.zzz.com.ua
dworkinfind.zzz.com.ua
colorpicker.kl.com.ua
u0brbqgnhh.kl.com.ua

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More