Executive Summary

• BlackGuard Stealer, which collects and exfiltrates credentials and device information from infected PC, first appeared when the official seller posted a promotion article on the dark web forum in January 2022
• BlackGuard Stealer collects and exfiltrates not only credentials such as Browser user data, Local files, Crypto wallets, VPN accounts, Steam accounts, Discord tokens, FileZilla data, and Telegram session data, but also device information such as OS version, System information, IPv4, country, and screenshot from infected PC
• The collected information is stored in a temporarily created folder. After collecting information, the folder is compressed to a *.zip file and exfiltrated through Telegram API.

Introduction of BlackGuard Stealer

BlackGuard is one of the info stealers written in C#. It is mostly distributed through malicious software disguised as Windows Update file, Fake MS Office Installer, Computer cleaner software, etc.

Recently, the info stealer abused the description of a YouTube video by attaching the download link that contains the info stealer. In March 2022, a link to download a game hack program was posted in the YouTube video description, but when users downloaded and ran the software, 44Caliber Stealer was executed on the users’ PC.

• Reference: https://asec.ahnlab.com/en/32499/
• YouTube link: https[:]//www[.]youtube[.]com/watch?v=YI8rJhQLsfg
• Malware download page: https[:]//anonfiles[.]com/J0b03cKexf

BlackGuard Stealer, which is currently being distributed, is forked from 44Caliber Stealer. Both BlackGuard and 44Caliber use the same method to collect credentials and device information. In addition, they store them in a temporarily created folder and compress them to the *.zip file. But while BlackGuard uses Telegram’s sendDocument API, 44Caliber uses Discord Webhook API to exfiltrate. 

☑️ Click here to learn more