ThirdEye Stealer Scrapes System Information

A novel information-stealing malware named ThirdEye has emerged in the wild, capable of extracting sensitive data from compromised systems. Fortinet FortiGuard Labs made this discovery when they stumbled upon the malware in an executable file posing as a Russian-named PDF document titled "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe."

The method of delivery for this malware remains uncertain, but the characteristics of the deception suggest its utilization in a phishing scheme. The initial instance of ThirdEye was uploaded to VirusTotal on April 4, 2023, exhibiting fewer features compared to later iterations.

Similar to other malware of its kind, this evolving data thief possesses the ability to collect system metadata, such as BIOS release date and manufacturer information, available disk space on the C drive, active processes, registered usernames, and volume details. Once gathered, this information is transmitted to a command-and-control (C2) server. Interestingly, the malware distinguishes itself by utilizing the string "3rd_eye" to signal its presence to the C2 server.

ThirdEye May Not Have Been Used in the Wild

Currently, there is no concrete evidence to suggest that ThirdEye has been deployed in real-world scenarios. However, considering that the majority of ThirdEye-related artifacts were uploaded to VirusTotal from Russia, it is probable that the malicious activities are targeting Russian-speaking organizations.

Fortinet researchers commented, stating that even though this malware is not classified as sophisticated, it is made to pilfer various information from compromised machines, which can then serve as a foundation for further attacks. They added that the collected data is "valuable for understanding and narrowing down potential targets."

Simultaneously, trojanized installers for the widely popular Super Mario Bros video game franchise, found on suspicious torrent websites, are being employed to distribute cryptocurrency miners, as well as a C#-based open-source information stealer named Umbral, which exfiltrates specific data using Discord Webhooks.

Moreover, users of video games have become targets for Python-based ransomware and a remote access trojan called SeroXen. This trojan leverages a commercial batch file obfuscation engine called ScrubCrypt (also known as BatCloak) to elude detection. Indications suggest that individuals associated with the development of SeroXen have also contributed to the creation of ScrubCrypt.

This malware was initially advertised for sale on a clearnet website registered on March 27, 2023, but was subsequently shut down in late May. Since then, it has been promoted on various platforms including Discord, TikTok, Twitter, and YouTube. A cracked version of SeroXen has now surfaced on criminal forums.