Predator the Thief

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Type
Stealer
Origin
ex-USSR
First seen
1 July, 2018
Last seen
8 October, 2021
Global rank
28
Week rank
43
Month rank
43
IOCs
4290

What is Predator the Thief?

Predator the Thief is an information stealer type malware, which attackers use to collect information from infected machines. Predator trojan can steal passwords, information from crypto wallets, access the camera to collect visuals of a machine owner and more.

As ransomware and other malicious programs from the stealer class, Predator the Thief is a somewhat basic program that hasn’t changed much since it’s the first version developed by a user named Alexuiop1337 around July of 2018. Bearing this in mind, this malware does not pose a significant threat to most corporations with adequate cybersecurity measures but can devastate careless private users.

General description of Predator the Thief

Researchers believe that Predator the Thief was developed by Russian-speaking malware actors as it mostly appears for sale on Russian forums where the malware could be obtained for a meager price of around $30. At the moment of publication, the price has risen to $150. With every purchase, clients obtain a builder and everything they need to host attacks. Malware authors themselves are known to distribute the builder but haven’t been witnessed generating any direct attacks.

An individual first promoted the malware with an alias “Alexuiop1337” who is still actively spreading information about the virus. However, at one point, he has taken up another name — “Kongress_nlt.” There is also a known telegram user, “sett9” who is affiliated with the operation and could be the “Kongress_nlt” himself. It is known that “sett9” is active on Telegram. Furthermore, one can follow the latest news concerning Predator on a dedicated Telegram channel, “@PredatorSoftwareChannel,” which lists all updates to the malware.

And the authors do, in fact, frequently update the malware and introduce new functions and undetectable samples to avoid discovery. In addition, they are willing to set up backend administration cabinets for clients for an extra fee. Notably, one of the updates has reworked the code from the ground up to make Predator what they call “fileless.” This means that when running, the malware doesn’t leave any files on an infected machine, making it that much more difficult to detect. This allows the stealer to operate stealthily under the hood of a clueless victim and inflict more damage over time as more potentially sensitive data is stolen.

When it comes to data-stealing, concerning browsers Predator the Thief focuses mainly on Chrome, Opera, and Firefox-based programs and uses “industry-standard” techniques to do its job. The malware can also mess with wallets for the following cryptocurrency:

  • Ethereum
  • Multibit
  • Electrum
  • Armory
  • Bytecoin
  • Bitcoin
  • And others…

As well as pull data from Filezilla and WInFTP. Another trick that Predator has up its sleeve is an anti-VM check that instantly terminates the execution of the malware detects that it is being launched on a Virtual Machine. This feature is there to complicate the analysis as much as possible and slow down research.

However, despite these functions, and although Predator can steal data from many sources the same as ransomware, it is still considered a relatively primitive malware compared to some other stealers. Not surprisingly for its well affordable price. However, while the punch that it packs may not be enough to shatter the defense of most modern large-scale corporations, small businesses and individuals can still suffer serious damage from Predator attacks.

Predator the Thief malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Predator the Thief, allowing one to examine it in a convenient and safe environment.

process graph of predator the thief execution

Figure 1: Displays the dynamic graph of processes generated by the ANY.RUN malware analyzing service.

text report of the predator the thief analysis

Figure 2: Even more information about the execution of malware can be found in this customizable text report generated by ANY.RUN.

Predator the Thief execution process

Predator's execution process is quite straightforward. After the stealer starts execution, it instantly begins stealing information from the system. Stolen information is then being written into files which are later compressed into a single archive. After that, Predator sends the compressed file to its Command And Control server. When the file is sent, the malware terminates the execution and sometimes deletes itself.

Distribution of Predator the Thief

Predator trojan gets into the machines of its victims disguised as a harmless document. It may enter the machine in a .ZIP file which contains an executable disguised as a document or useful program with a name that tricks the potential victim into interacting with it.

In other cases, the malware utilizes the vulnerability in the UNACEV2.dll library of WinRAR. In this case, the victim is being presented with multiple .PNG, which is to hide the fact that the malicious file is placed in the startup folder, which will be executed with the next system reboot or launch. Also, Predator The Thief distribution is a common method through links to legitimate websites such as cdn.discordapp.com, raw.githubusercontent.com, and others.

How to detect Predator the Thief using ANY.RUN?

Some malware creates files in which it named itself. Often you can find such info about Predator the Thief using ANY.RUN's "Static Discovering." Open either the "Files" tab in the lower part of the task's window or click on the process and then on the "More Info" button in the appeared window. After that, all you need to do is click on the "Information.txt" file.

predator the thief static discovering

Figure 3: Static discovering of the file "Information.txt" created by Predator the Thief

Summary

Predator the Thief may not be the most complex information stealer on the planet. It is also one of the cheapest options currently on the market. Despite that, the authors of this malicious program show a strong dedication to their business and spend a lot of time and energy producing meaningful updates, marketing their creation in underground communities, providing set-up services, and building admin panels upon request. This above all leads to the fact that Predator is becoming a more and more popular stealer and dangerously accessible.

Bearing in mind that most attack vectors involved documents structured around business topics, small company owners are at the biggest risk since cyber defense is sometimes lacking in smaller companies.

To help the situation and make this threat less dangerous, cybersecurity researchers can use the tools ANY.RUN malware hunting service provides to professionals and students to crack the code of Predator the Thief. ANY.RUN streamlines the malware analysis process and enables to complete research projects faster and more efficiently without compromising the quality of results. Hopefully, together we will mitigate the threat posed by Predator and other similar information stealers and ransomware as well.

IOCs

IP addresses
141.8.192.151
199.59.242.153
141.8.193.236
92.119.113.140
185.178.208.142
185.107.56.195
81.177.141.161
185.178.208.162
185.50.25.50
103.224.212.222
81.177.135.161
31.220.41.16
92.53.96.237
141.8.192.58
141.8.197.42
141.8.192.31
185.178.208.182
164.132.207.80
185.27.134.112
141.8.194.191
Hashes
a62050761c16ef70abf305a79d1f45869e6ea230ed88cf21794b3f68f693b347
42a7924ec694d6871f2380cddd3f82464f8bf1ea4a60e0449118a1e8a7eb91ec
a55e5a6409347f54ca044e1c163aee41a55377c23c7b831397b59dcbef33647c
561760568f0a8ad75775986bb0506b8e6c7c1d414b699724e4a66bde7ca88388
bfab78db5ff9d628bce8a80d922d0b2960854a9f44084907e642e1e40b1c2cdf
457e1c712305460a0ab2efe9b7fe3c4ce94c49f087eafd9798ee7e294e7c1237
e0a79f643ca57d0804b2ec37c4e44dc333a3e6377c00411dfc3b37d8f5003387
ab5d32846d6b9b281a1ea0a7c2f11890fad6800bcf034cc75f8b7d3b6a669795
36bb7d662131f55865a6b2074c9bd1ef24c52290cdec5cfcd0832545d281c559
a514a686a26c18ff4c4a695832414ad493233b873b1eba088f9a2f782521e23a
a1764715a196fcfa615ec11bf86a0e4f9848f6f4125bafcae89d7bc401246abc
ce4496818413afef25e97cf962a63e0c541bd084374cf25e701d59825c5e02b9
74664b7a4dbc5cee13601fa90f4d8de5743ab8797d3d7e78c6cfce300ae1059f
d3e9f13661594f69e5ed20e381108125c1ed9cbd18a6cc6fa58b78f98a450430
87fd931f80289615df52cc9c51c5c788d34cd7b74f55f90ee447a370c74ea51e
025d8c812eac800fef23a4e5b72d31d0a76a13b64910882d02065b6368ab1ea7
0b9f635e4fdcd604301232cbf99882303bded31ab572e692b688f10cac5677a0
6c5d7642a58d60f603a1931f20977219becef21e957641a250c272c3fab74b2d
b935689b73080cbb9e705e0e598554d1551803e405607ceeabafe763aa6f9977
73cf0383a1dc61d851478d5c12408f19a426dd6da3b347135d0d02a30b4e7545
Domains
isns.net
tcp.ngrok.io
66d5a675.ngrok.io
qxq.ddns.net
f0556195.xsph.ru
f0542299.xsph.ru
f0550461.xsph.ru
f0549750.xsph.ru
f0549925.xsph.ru
f0533712.xsph.ru
f0545380.xsph.ru
f0542710.xsph.ru
f0546032.xsph.ru
f0544857.xsph.ru
f0514964.xsph.ru
f0542403.xsph.ru
f0541979.xsph.ru
f0505180.xsph.ru
f0507288.xsph.ru
f0505180.xsph.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More