Blackguard Infostealer is a malware strain that was first discovered infecting Windows devices at the start of 2022. Other security researchers have already documented how the malware operates and its dissemination via underground Russian crimeware forums.1, 2 This article aims to expand on existing research by exploring its data exfiltration capabilities in greater detail. Blackguard is designed to steal a wide range of personal data, including credentials, cookies, messaging history, browsing history, cryptocurrency wallet information, and screenshots from the infected machine. By understanding what types of data attackers want, we can better understand the value Blackguard offers its authors and writers, and therefore how malware fits into the broader cybercrime ecosystem.
Attackers distribute Blackguard using a variety of techniques, including drive-by downloads and phishing emails containing malicious attachments. Once Blackguard Infostealer has infected a victim’s device, it initiates techniques such as system Application Programming Interface (API) hooking, Dynamic Link Library (DLL ) injection and resource hijacking to steal credentials from browsers, messenger clients, and other client-side software. The stolen data is compressed and exfiltrated in the same HTTP-based communication channel that the attackers use for command and control (C&C). The exfiltrated credentials are stored on the C&C server and then used to conduct additional attacks such as credential stuffing, account creation, and online fraud.
In our research of BlackGuard Infostealer we identified an exposed command and control (C&C) administrator panel (Figure 1) and analyzed the stolen data stored within.
During active and passive analysis of the BlackGuard C&C panel, we found that the malware records geographical information from the compromised systems, indicating that BlackGuard is used to target victims all around the world. Figure 2 highlights a snippet of exposed zipped files containing stolen data from compromised systems showing data stolen from users in Sweden, Switzerland, the UK, and the United States.