skip to Main Content

Cybercrime, BlueStealer (alias DarkCloud) is back

BlueStealer (alias DarkCloud) is back. A fake email from an Indian company contains an r.00 attachment, with an exe file inside: the malware. BluStealer does not have a C2 but sends the stolen data by email

BlueStealer, alias DarkCloud, is back with a new purchase order-themed campaign.

A fake email from an Indian company contains an r.00 attachment, with an exe file inside: the malware. BluStealer doesn’t have a C2 but sends the stolen data by email to a preconfigured address using the SendByEmail feature, as CERT-AgID discovered last October.

The malware is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP applications, browsers, email clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.

Back To Top