Resources

The History of BlackGuard Stealer

Date 2022. 05. 13

Introduction of BlackGuard Stealer

With the recent rapid expansion of the blockchain market including NFTs, cybercriminals are mainly using info stealer malware to steal credentials and wallet data stored in personal PCs. In addition, as it is known that the LAPSUS$ group, which has recently performed data breaches against large enterprises around the world, has mainly used credentials stolen from info stealer malware, the risk to Stealer is rising significantly compared to the past.

Info stealer malware is a type of malware that steals credentials and sensitive information from an infected PC and there are various stealers such as RedLine, Raccoon, and Vidar. S2W recently conducted and published an analysis of BlackGuard Stealer, which is being actively promoted in the DDW forum. In addition, as it has been confirmed that a new version is being distributed, we would like to organize and disclose the history of BlackGuard Stealer.

Timeline of BlackGuard Stealer

The operator who develops and sells BlackGuard Stealer uploaded the first promotional post about BlackGuard under the title “New Stealer” on XSS, a dark web forum, on March 21, 2021. However, the post was closed for not sending a deposit for sale, and the additional promotional post uploaded on April 8, 2021, about a month later, was also temporarily suspended for the same reason. After that, there was no activity related to the BlackGuard Stealer, but in January 2022, the activity started in earnest by sending a deposit and testing the product. The BlackGuard Stealer operator and developer had sold a loader program called RunPE before selling Blackguard.

According to a first promotional post published by BlackGuard operators in March 2021, the initial version of BlackGuard had borrowed some code from open-source ‘StormKitty’. However, in addition to this, it was confirmed that the code of BlackGuard is similar to that of ‘44Caliber’ and ‘Echelon Stealer’. It can be seen that the BlackGuard operator initially referenced a part of the code from several known info stealers, but is changing the internal structure little by little through periodic version updates.

☑️ Click here to learn more