Connect with us

Hi, what are you looking for?


Malwarebytes Labs Labs: Taurus Project stealer now spreading through malvertising campaign

Malwarebytes Labs Labs: Taurus Project stealer now spreading through malvertising campaign

The Taurus Undertaking stealer features an extra distribution vector through exploit equipment.

For the previous a number of months, Taurus Undertaking—a comparatively new stealer that appeared within the spring of 2020—has been distributed through malspam campaigns focusing on customers in america. The macro-laced paperwork spawn a PowerShell script that invokes certutil to run an autoit script finally answerable for downloading the Taurus binary.

Taurus was initially constructed as a fork by the developer behind Predator the thief. It boasts most of the similar capabilities as Predator the thief, specifically the flexibility to steal credentials from browsers, FTP, VPN, and e mail shoppers in addition to cryptocurrency wallets.

Beginning in late August, we started noticing giant malvertising campaigns, together with, specifically, one marketing campaign that we dubbed Malsmoke that distributes Smoke Loader. Throughout the previous few days we noticed a brand new an infection pushing the Taurus stealer.

Marketing campaign scope

Like the opposite malvertising campaigns we lined, this newest one can be focusing on guests to grownup websites. Victims are principally from the US, but additionally Australia and the UK.

Visitors is fed into the Fallout exploit equipment, in all probability one of the crucial dominant drive-by toolsets in the meanwhile. The Taurus stealer is deployed onto weak techniques operating unpatched variations of Web Explorer or Flash Participant.

Malwarebytes Labs Labs: Taurus Project stealer now spreading through malvertising campaignDetermine 1: Visitors seize exhibiting the malvertising chain into Fallout EK loading Taurus

Due to code similarities, many sandboxes and safety merchandise will detect Taurus as Predator the thief.

Malwarebytes Labs Labs: Taurus Project stealer now spreading through malvertising campaignDetermine 2: The string ‘TAURUS’ as seen within the malware binary

The execution stream is certainly just about an identical with scraping the system for information to steal, exfiltrating it after which loading further malware payloads. On this occasion we noticed SystemBC and QBot.

Stealer – loader combo continues to be common

Stealers are a well-liked malware payload nowadays and a few households have diversified to change into greater than plain stealers, not solely by way of superior options but additionally as loaders for added malware.

Though the risk actors behind Predator the thief have appeared to have handed over a fork of their unique creation and disappeared, the marketplace for stealers continues to be very sturdy.

Malwarebytes customers are protected in opposition to this risk through our anti-exploit layer which stops the Fallout exploit equipment.

We wish to thank Fumik0_ for background details about Predator the thief and Taurus.

Indicators of Compromise

Malvertising infrastructure




Taurus binary


Taurus C2






what is malware,adware

You May Also Like


The latest round of MITRE ATT&CK evaluations proved yet again that Microsoft customers can trust they are fully protected even in the face of...


On Thursday, April 23rd, 2020, Canonical Ltd, the makers of Ubuntu Linux distribution officially released the long-awaited Ubuntu 20.04 version code-named “Focal Fossa”, it...


As the robot process automation (RPA) market becomes more and more dynamic, more and more companies are trying to integrate RPA into their business...


Virtual Machine Manager is one of the best hypervisors available for the Linux desktop. This is well-designed and well-functioning QEMU/KVM virtualization software that takes...