Cisco Talos specialists have warned hacktivists who want to DDoS Russian sites that they themselves may become victims of cybercriminals. According to them, a tool is being distributed in Telegram allegedly to carry out DDoS attacks on Russian resources, which actually steals cryptocurrency from the one who uses it.
Under the tool for hacktivists Disbalanscer.The Phoenix infostiler known since 2019, stealing data from cryptocurrency wallets, has been masked. The malware “started” as a keylogger, but within a few months it has turned into a full-fledged infostiler with a powerful detection bypass mechanism and modules that prevent its analysis.
It is noteworthy that a group called disBalancer does exist. It offers a “legitimate” tool for carrying out DDoS attacks on Russian sites, but it is called Liberator (Disbalancer.exe ). It is noteworthy that on the grouping’s website there is a typo in the name – disBalancher instead of disBalancer.
Disbalanscer.zip disguises itself as this tool, but in fact is an infostiler. It is protected using the ASProtect packager for Windows executables.
“If the researcher tries to debug the malware executable file, an error will appear. After trying to debug, the malware will launch Regsvcs.exe, included with the .NET framework. In this case regsvcs.exe it is not used as LoLBin (a binary file provided by the OS, which is usually used for legitimate purposes, but can also be used by hackers – ed.). It is embedded in malicious code consisting of the Phoenix infostiler,” the experts explained.
The attackers behind the malicious campaign are by no means newbies. They have been distributing infostilers since at least November last year. The malware sends the stolen data to a remote IP address in Russia 95[.]142.46.35 to port 6666.