BlackGuard stealer expands its targets to include 57 crypto wallets and extensions

A new version of the BlackGuard stealer has been discovered with new features that make it more dangerous. The malware, sold as a MaaS, targets a wide range of information, including cookies and credentials stored in web browsers, messaging and gaming apps, email clients, and VPN tools.

The new features of the malware include a crypto wallet hijacker module that replaces copied cryptocurrency addresses with the attacker’s address, propagation via USB sticks and other removable devices, downloading additional payloads from the C2 server and executing them in the breached computer’s memory, and gaining persistence between system reboots. The malware also copies itself to every folder in the C:\ drive with a random name. BlackGuard now targets 57 cryptocurrency browser extensions and wallets, attempting to steal data and assets. Users can protect themselves from BlackGuard infections by avoiding downloading executables from untrustworthy websites, not launching email attachments from unknown senders, and keeping their systems and AV tools updated.