top of page

New Zaraza Bot Credential Stealer Targets Passwords from 38 Web Browsers, Including Chrome, Edge

A new variant of credential stealing malware called Zaraza bot has been identified by the Uptycs threat research team. The bot uses Telegram as its command and control, with "zaraza" being the Russian word for infection. The bot is being actively distributed on a popular Russian Telegram hacker channel and targets 38 web browsers, including Google Chrome, Microsoft Edge, and Yandex, to steal login credentials from online bank accounts, cryptocurrency wallets, email accounts, and other high-value websites. Once the sensitive data is retrieved, it is sent to a Telegram server where the attackers can access it immediately.

This type of attack can have severe consequences, such as identity theft, financial fraud, and unauthorized access to personal and business accounts. Uptycs discovered the malware while testing a binary specimen within their sandbox environment and implemented a YARA rule for detection. To protect against this malware, individuals and organizations should update their passwords regularly, use strong passwords and multi-factor authentication, and ensure regular software and security system updates. Uptycs also provides an IOC in the form of an MD5 file hash to help detect the malware.

Zaraza bot is a 64-bit binary file compiled using C# and contains the Russian language in the code. The bot systematically scans through each of the 38 browsers to extract any credential data present on the victim's machine. After successfully extracting encrypted passwords from the browser, the attacker then saves this data to an output.txt file. Additionally, the bot captures a screenshot of the victim's active window, saving it in a JPG file format in the same output.txt file location. The bot's data is shared through a Telegram bot channel that originates from Russia, which has been identified by the Uptycs threat research team.

According to Uptycs, the bot appears to operate on a commercial basis, with threat actors able to purchase access to the bot. The bot administrator or a threat actor associated with the bot may be connected to a Russian user whose username and account information were intercepted by the bot. This discovery was made through analysis of HTTPS packets. Uptycs provides a YARA rule for detection, and individuals and organizations should follow best practices to protect themselves from this type of malware.


bottom of page