First observed in 2018, Predator (also known as Predator the Thief, Predator the Stealer or PTST) is an information stealing trojan sold through several Russian-language dark web forums and Telegram boards. Its developers appear to be highly pro-active in adding new capabilities and offer a comprehensive control and configuration panel for use alongside Predator.
Predator, as a stealer, is considered simple and cheap. It’s good for attacking individuals and small businesses, but as far as large companies go, protection solutions and response teams can detect and remove its activity in a relatively short amount of time.
Predator has only been observed being delivered in spam or phishing campaigns, although threat actors using it may employ other distribution methods in future.
Once delivered, Predator will perform a series of checks to detect if it is running in a virtual environment. It will then attempt to escalate its privileges before beginning to collect information. Predator has the following data-gathering capabilities:
- Credential, cookie, search history and form entry extraction from most Chromium- or Gecko-based browsers, including Google Chrome and Mozilla Firefox. Newer versions are also able to extract information from Microsoft Edge and Internet Explorer.
- Credential extraction from gaming, FTP, VPN, messaging and authentication applications.
- Keylogging, although this behaviour has not been observed in the wild.
- System log and clipboard data collection.
- Webcam and microphone recording.
- Collection of WALLET and DAT files associated with most popular cryptocurrencies.
This information is then packaged into a single file, along with a unique identifier, and sent to a threat actor-specified command and control server.
Indicators of Compromise
MD5 File Hashes