Braodo Stealer, a Python-based malware, has been causing widespread damage since early 2024, affecting users globally with a notable impact in the US, Czechia, Germany, the Netherlands, Singapore, and the United Kingdom.
First identified by CYFIRMA Research and Advisory Team, and later reiterated by cybersecurity researcher g0njxa, Braodo Stealer utilizes advanced methods to pilfer credentials and cookies, propagating through deceptive phishing and spear-phishing emails.
The CYFIRMA team made an interesting discovery: they found an open directory hosting Braodo Stealer, which turned out to be heavily obfuscated.
The malware is capable of spreading through various methods, such as batch scripts, PowerShell, executables, HTA, and PDF files. Several GitHub repositories and a VPS server based in Singapore were found to be important hosts for the malware.
Additionally, an IP range that had been used in the past for creating fake Vietnamese government websites was also involved.
The team discovered several GitHub repositories and an open directory HTTP server at IP: 103.54.153.116. This confirmed that the malware's main purpose was to steal browser data.
Technical Insights and Modus Operandi
Braodo Stealer operates in a discreet manner, revealing its true nature and retrieving a secondary payload from GitHub. When it is executed, it runs multiple instances of PowerShell and cmd.exe.
This then leads to the execution of a Python script called ‘sim.py' that focuses on gathering browser data, specifically cookies and credentials. These are stored and forwarded to a Telegram channel managed by bots.
The malware's various versions, such as BAT, MSI, and HTA files, all contain the same Python payload that focuses on extracting browser data from Chrome, Firefox, Edge, Opera, Brave, and Chromium browsers.
According to CYFIRMA's analysis, the majority of victims come from Vietnam, while others are from Singapore, the US, Czechia, and the Netherlands. The wide-reaching presence of Braodo Stealer emphasizes the significant impact it has had across different geographical areas.
This serves as a reminder of the importance of implementing stronger cybersecurity measures in regions that are frequently targeted. This malware is a significant threat due to its ability to spread across various platforms and its utilization of advanced obfuscation techniques.
Further Insights
In ddition to CYFIRMA's research, cybersecurity researcher g0njxa has noticed an increase in malware originating from Vietnam on Twitter. G0njxa discovered Braodo Stealer malware that is controlled by a Telegram bot.
It primarily targets Facebook cookies and other credentials stored in web browsers. G0njxa's investigation uncovered logs that were being managed by a user named “bot_cutedzvcbot” and sent to a private group.
Seeking further details, g0njxa left a message on the bot's title, expressing a desire to connect with the operator. The operator, who mentioned using the bot for “trolling” purposes, acknowledged their interest in doing business but offered only minimal helpful details.
Undeterred, g0njxa turned their attention to another important discovery: an interview with a Vietnamese individual who was involved in the operations of the malware.
Running ad campaigns on stolen Facebook accounts
G0njxa's interview with a person operating under the handle @scanhihihi2, conducted in Vietnamese using a translator, revealed important information about the malware's involvement in fraudulent ad campaigns.
The interviewee explained that the threat actors use stolen Facebook accounts for drop shipping. This is a method where sellers don't need to keep products in stock, as they simply send orders to another company for fulfillment.
This generates substantial profits, often through deceptive advertising expenses. The interviewee provided a clear explanation of how drop shipping campaigns use stolen credentials to run ads, with a primary focus on targeting American users.
The interviewee also emphasized the use of compromised Facebook accounts for ad campaigns as well as the distribution of malware.
These accounts, which frequently include posts that lead to dangerous software downloads, add another layer of complexity to the threat landscape.
The interview also shed light on the presence of a thriving carding community in Vietnam, resulting in significant financial losses, with a primary focus on American users.
The usage of Telegram communities to coordinate these activities, as explained by g0njxa and supported by CYFIRMA's findings, highlights the collaborative nature of these threat actors.