The popular use of Telegram within this context is on the rise. In detail, the targeted application of Blackguard are the following:įigure 7: Targeted applications found inside the Blackguard binary file (the full version). The full features list can be obtained from the Russian-based forum and are present in Figure 6 below.įigure 6: Complete list of Blackguard features depending on the malware plan. Passwords from popular software (Outlook, WinSCP, FileZilla and Discord).įigure 5: Collected details during the Blackguard execution.Īccording to the Blackguard developers, the malware features depend on the price plan, and they are embedded in the malware binary as a result.Details from popular IM software (Telegram, Pidgin etc.).Browser data (cookies, passwords, etc.).The stealing processĪt the time of collecting data, Blackguards calls several modules that will collect sensitive information from several locations, including: Like other malware from Russia, it checks if the target machine is geolocated in the Commonwealth of Independent States (CIS).įigure 4: List of CIS countries and malware bypass infection. Although no effective string encryption algorithm is found, the base64 encoder prevents the plain-text strings are presented during the malware static analysis phase. The malware strings are obfuscated with a base64 encoder and decoded in runtime. The workflow of Blackguard is simple: it validates if it is being executed under a sandbox environment, decodes its internal strings in memory, collects sensitive information, including browser information and crypto-wallets, and sends all the information to the Telegram channel.įigure 3: Blackguard malware detects AV processes and terminates its execution ( source ).
The available features depend on the package paid and the period of use. 12, 2022, and it was released on the Russian-based Forums, as presented in Figure 1. Also, Youtube videos promoting this piece of malware were found, potentially referring to a “Free cheat” software.įigure 2: Blackguard malware disseminated on Youtube via attached URLs on videos’ descriptions ( source ).īlackguard stealer is an improvement from the 44Caliber malware, and they are using the same TTP to steal credentials and details from the infected machines. It is developed in C# and typically distributed in the wild through email, impersonating some legitimate software such as Windows Update files, Office documents, office installers, cleaning software etc. Blackguard is a kind of MaaS (malware-as-a-service) software announced on underground forums with a lifetime price of $700 or a monthly price of $200.įigure 1: Blackguard stealer shared on underground forums in January 2022.