Updated BlackGuard stealer variant sets sights on more crypto wallets, extensions

BleepingComputer reports that the BlackGuard information-stealing malware has been updated to target 57 cryptocurrency wallets and browser extensions, up from the 45 crypto-related wallets and extensions aimed by the malware in August. BlackGuard has been exfiltrating data and assets from the BitcoinCore, AtomicWallet, Ethereum, and LiteCoinCore wallets, as well as the Binance, Phantom, Ronin, BitApp, and Starcoin wallet extensions, among others, a report from AT&T revealed. Aside from expanding its targets, BlackGuard has been modified to include a crypto wallet clipper module in place of cryptocurrency addresses in the Windows clipboard. The report also showed that BlackGuard has gained a new propagation mechanism enabling its spread through removable devices, including USB sticks, as well as additional payload downloading capabilities that bypass antivirus system detection through process hollowing. Moreover, persistence is established by the info stealer through self-addition under the "Run" registry key, while every C:drive folder is found to contain malware files.