ThirdEye: A New Malware Targeting The Windows systems
New Windows malware capable of stealing sensitive data from infected computers has been discovered by Fortinet FortiGuard Labs researchers. They called it "ThirdEye" ("third eye") and noted that this software had not previously appeared in antivirus databases.
The distribution method of this malicious code is not yet known, but apparently it uses phishing campaigns. The researchers found it in an executable file that was disguised as a PDF document with the Russian name "CMK Rules for issuing sick leave.pdf.exe." The first sample of ThirdEye was uploaded to VirusTotal on April 4, 2023 and had relatively little functionality.
ThirdEye is able to collect system metadata such as BIOS release date and manufacturer, C drive total/free space, current processes, usernames, volume information. The collected data is then transferred to the attackers' C2 server . The distinguishing feature of the malicious code is that it uses the string "3rd_eye" to communicate with the C2 server.
So far, there is no indication that ThirdEye has been actively used in cyberattacks. However, most of the malware samples were uploaded to VirusTotal from Russia, which may indicate that the hackers are targeting Russian-speaking organizations.
“Although this malicious code is not sophisticated, it is designed to steal various information from infected machines, which can be used as a starting point for future attacks,” Fortinet researchers said, adding that the data collected is “valuable for understanding and narrowing down potential targets.” ".
This is not the only example of malicious code that has recently targeted Windows users. Fake installers of the popular video game Super Mario Bros, hosted on suspicious torrent sites, were previously found to be used to distribute cryptocurrency miners and an open data thief Umbral written in C# that pumps data of interest using Discord webhooks .
“The combination of mining and data theft results in financial losses, a significant decrease in the performance of the victim’s system, and the depletion of valuable system resources,” Cyble said .
Recently, video game users have also fallen victim to a Python- based ransomware and remote access trojan ( RAT ) called SeroXen, which uses a commercial batch file obfuscation engine, ScrubCrypt (aka BatCloak), to avoid detection. There is evidence that actors associated with the development of SeroXen were also involved in the creation of ScrubCrypt.
It is extremely important to remain vigilant and not open dubious files received from unknown senders or downloaded from suspicious sites, especially if they have a double extension. It is also recommended to use a reliable antivirus and update it regularly to securely protect your information from new threats.
