Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”

One interesting piece of functionality included with the information stealer is a scanner that is designed to identify and exfiltrate files containing sensitive information. The script contains a large wordlist of English words. We have also observed variants of the grabber module that contain wordlists targeting other languages, such as Czech. Additionally, we have observed versions that contain multiple wordlists targeting different cryptocurrency wallet seed phrase combinations.

This wordlist is designed to be used to identify files that may contain cryptocurrency wallet seed phrases, which can be used to regain access to wallets in the case that the primary authentication method is unavailable. This is performed by iterating through the file system on local hard drives, identifying files matching specific file extensions and file sizes, and then scanning them for the presence of multiple string values matching the wordlist.

To read the complete article see: link