Malwarebytes Labs Labs: Taurus Project stealer now spreading through malvertising campaign

For the previous a number of months, Taurus Undertaking—a comparatively new stealer that appeared within the spring of 2020—has been distributed through malspam campaigns focusing on customers in america. The macro-laced paperwork spawn a PowerShell script that invokes certutil to run an autoit script finally answerable for downloading the Taurus binary.

Taurus was initially constructed as a fork by the developer behind Predator the thief. It boasts most of the similar capabilities as Predator the thief, specifically the flexibility to steal credentials from browsers, FTP, VPN, and e mail shoppers in addition to cryptocurrency wallets.

Beginning in late August, we started noticing giant malvertising campaigns, together with, specifically, one marketing campaign that we dubbed Malsmoke that distributes Smoke Loader. Throughout the previous few days we noticed a brand new an infection pushing the Taurus stealer.

Marketing campaign scope

Like the opposite malvertising campaigns we lined, this newest one can be focusing on guests to grownup websites. Victims are principally from the US, but additionally Australia and the UK.

Visitors is fed into the Fallout exploit equipment, in all probability one of the crucial dominant drive-by toolsets in the meanwhile. The Taurus stealer is deployed onto weak techniques operating unpatched variations of Web Explorer or Flash Participant.

Determine 1: Visitors seize exhibiting the malvertising chain into Fallout EK loading Taurus

Due to code similarities, many sandboxes and safety merchandise will detect Taurus as Predator the thief.

Determine 2: The string ‘TAURUS’ as seen within the malware binary

The execution stream is certainly just about an identical with scraping the system for information to steal, exfiltrating it after which loading further malware payloads. On this occasion we noticed SystemBC and QBot.

Stealer – loader combo continues to be common

Stealers are a well-liked malware payload nowadays and a few households have diversified to change into greater than plain stealers, not solely by way of superior options but additionally as loaders for added malware.

Though the risk actors behind Predator the thief have appeared to have handed over a fork of their unique creation and disappeared, the marketplace for stealers continues to be very sturdy.

Malwarebytes customers are protected in opposition to this risk through our anti-exploit layer which stops the Fallout exploit equipment.

We wish to thank Fumik0_ for background details about Predator the thief and Taurus.

Indicators of Compromise

Malvertising infrastructure

casigamewin[.]com

Redirector

89.203.249[.]76

Taurus binary

84f6fd5103bfa97b8479af5a6db82100149167690502bb0231e6832fc463af13

Taurus C2

111.90.149[.]143

SystemBC

charliehospital[.]com/soc.exe
c08ae3fc4f7db6848f829eb7548530e2522ee3eb60a57b2c38cd1bdc862f5d6f

QBot

regencymyanmar[.]com/nt.exe
3aabdde5f35be00031d3f70aa1317b694e279692197ef7e13855654164218754