A Malware That Takes Screenshots and Steals Your Passwords

Cyber security researchers have discovered a new kind of malware that would take screenshots and steal passwords.

SquirtDanger, the “Swiss Army Knife” malware that targets cryptocurrencies and online wallets, has been discovered by Palo Alto Networks Unit 42. Hackers can, with the help of this malware, take action screenshots, download files and steal the content from all kinds of cryptocurrency wallets. The researchers who have discovered the malware infer that it was created by a Russian author, ‘TheBottle’.

A post on the Palo Alto Networks blog discusses the malware in detail. The post says- “Finding and investigating new malware families or campaigns is a lot like pulling a loose thread from an article of clothing. Once you start tugging gently on the thread, everything starts to unravel. In this particular case we began by investigating a new malware family, which we are calling SquirtDanger based on a DLL, SquirtDanger.dll, used in the attacks. There is strong evidence to indicate that this malware family was created by a prolific Russian malware author that goes by the handle of ‘TheBottle’.”

The blog also gives an overview of the malware; it says- “SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.”

SquirtDanger has different kinds of functionalities; it could do variety of things like taking screenshots, deleting malware, sending file, clearing browser cookies, listing processes, listing drives, killing processes, getting directory information, downloading/uploading/deleting files, stealing wallets, stealing browser passwords, swapping identified wallets in the victim’s clipboard etc.

WindowsReport.com gives a brief description of how SquirtDanger works- “SquirtDanger used ‘raw TCP connections’ for initiating network communications to a remote C&C server and researchers were able to extract an embedded identifier from roughly 400 SquirtDanger samples. Digging in, they’ve discovered a code repository which coincided with the capabilities and style of the samples observed.”

More details, along with an in-depth analysis of how the malware works are available on the Palo Alo Networks blog.

SquirtDanger has spread and infected organizations and individuals in many countries across the world. According to experts, this malware has the capability to seek out wallets for different cryptocurrencies, including Bitcoin, Monero, Ethereum, Litecoin, Dash etc.

Since Cryptocurrencies are getting more and more popular, we could expect such kinds of malware to come up in more numbers in the months and years to come. Hence it becomes very important to ensure better security for all kinds of online crypto wallets.

How to Stay Secure

To ensure better security against such malware, there are some basic things that need to be done. The first, and of course the most important thing, would be to keep all systems in your network updated. All software that’s used and the operating system used need to be updated regularly as well. Similarly, it would be advisable to go for strong passwords and also use two-factor authentication and other better security protocols as and when needed. Those engaging in cryptocurrency trading also need to make use of the required security software.