Many threat actors are moving away from a shotgun approach and opting for more targeted attacks after carefully researching potential targets and developing specialized malware. BlackGuard Infostealer is an example of this business model. Sold as a Malware-as-a-Service (MaaS), BlackGuard Infostealer is distinctly different from its family relatives. Its hyper focused functions target web browsers, cryptocurrency services, and crypto wallets. Despite having fewer capabilities than many infostealers, BlackGuard still collects a wealth of user data.
To extract critical information from a victim's device, such as the user’s IP address, country/location, hardware identification (HWID), operating system (OS), and log data (of infection), BlackGuard uses specific functions resembling Arkei Infostealer and Bhunt Scavenger malwares. It also targets virtual private network (VPN) clients, instant messaging (IM) services, FTP clients, and voice-over-internet protocol (VoIP) services. Regarding VPNs, BlackGuard seeks out two popular applications: OpenVPN and NordVPN. BlackBerry analysts have identified new functions such as features that evaluate high-value targets, and default browser checks.
BlackGuard Infostealer targets Windows® operating system users. To prevent detection, the malware developers incorporated both anti-analysis and anti-detection check functions. If specific Dynamic-Link Library (.DLL) files are detected, it will attempt to terminate itself. A complete .DLL file list is available in our research report on BlackGuard Infostealer.
BlackBerry evaluates BlackGuard Infostealer as a potential medium-impact, and medium-risk level threat to network security.
BlackGuard Infostealer Defeated by BlackBerry
Watch the brief video below to see how BlackGuard Infostealer is defeated by the BlackBerry® artificial intelligence (AI) powered endpoint protection platform (EPP) solution, CylancePROTECT®.