An In-Depth Exploration of Aquatic Gamayun’s Equipment and Framework

DataSafe Thief Variant A

DataSafe Thief Variant A Details

Upon activation, the malicious program gathers comprehensive system data, encompassing antivirus solutions, installed applications, network connectors, active programs, and more. It also retrieves confidential details like Wi-Fi access codes, Windows activation keys, clipboard past activities, and user sessions from various messaging platforms, VPN services, VNC systems, FTP applications, and password storage tools. Additionally, it acquires files from user directories using specified terms and file types as outlined below:

$searchTerms = @(“2fa”, “acc”, “account”, “auth”, “backup”, “bank”, “binance”, “bitcoin”, “bitwarden”, “btc”, “casino”, “code”, “coinbase “, “crypto”, “dashlane”, “discord”, “eth”, “exodus”, “facebook”, “funds”, “info”, “keepass”, “keys”, “kraken”, “kucoin”, “lastpass”, “ledger”, “login”, “mail”, “memo”, “metamask”, “mnemonic”, “nordpass”, “note”, “pass”, “passphrase”, “proton”, “paypal”, “pgp”, […])

$permittedFormats = @(“*.jpg”, “*.png”, “*.rdp”, “*.txt”, “*.doc”, “*.docx”, “*.pdf”, “*.csv”, “*.xls”, “*.xlsx”, “*.ldb”, “*.log”, “*.pem”, “*.ppk”, “*.key”, “*.pfx”)

Figure 21 below demonstrates the process of how the malware identifies a target device.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts