Threats continue to evolve in their complexity and scale as cyber criminals regularly come up with new ideas and find ways to target their victims.
Modern information stealer families such as RedLine, RecordBreaker, ArkeiStealer, Vidar, Satacom, BatLoader are often sold through Malware-as-a-Service (MaaS) models and they continuously update with their varying initial attack vectors.
ThreatLabz discovered that threat actors are now distributing ArkeiStealer through Windows Installer binaries which masquerade as a trading application. The trading application is backdoored with the SmokeLoader downloader which further downloads an information stealer. In May 2021 in a similar campaign, ThreatLabz identified a fake TradingView website and backdoored TradingView application associated with the MineBridge RAT campaign [1].
Key Points
ThreatLabz was able to flag malicious activity to an IP address based on C2 beaconing characteristics and a low domain and ASN reputation.
It also discovered a recently registered domain spoofing the official TradingView website
It was able to identify that the actual malware was embedded inside TradingView Desktop Application
The actual malware and the…
