Using Telegram as its command-and-control (C2) mechanism, a new strain of malware, a bot dubbed Zaraza, is capable of extracting login credentials from a victim's open browser and saving them to a file, as well as taking screenshots of open windows to be saved in a JPG file.
First identified by the Uptycs threat research team, the new bot is capable of stealing credentials from 38 Web browsers, including Google Chrome, Microsoft Edge, and Opera, among others. Once it successfully infects a victim's computer, it sends the information to a Telegram server, where it becomes accessible to potential threat actors. It's believed that the Zaraza bot is linked to Russian hackers, evidenced by the use of the name "Zaraza" which means "infection" in Russian, the researchers said in their report outlining the malware.
The type of login credentials that it steals range from bank accounts to email accounts to online wallets, as well as other sensitive and valuable website targets. This information can provide attackers with the opportunity to commit severe crimes such as identity theft and financial fraud, as well as grant access to personal identifiable information (PII) and, especially in the era of remote work, business accounts. This variant of malware and what it allows attackers to do potentially opens the floodgates to financial loss and "reputational damage," according to the analysis.
"To protect yourself against this malware," the Uptycs researchers wrote, "you should update your passwords regularly, follow online security best practices such as using strong passwords and multi-factor authentication, and ensure regular software and security system updates."