Fake 'TradingClaw' Website Spreads 'Needle Stealer' Malware

Executive Summary

Researchers from Malwarebytes have identified a malware campaign distributing an info-stealer known as Needle Stealer. The campaign uses a fake website, tradingclaw[.]pro, which promotes a non-existent AI-powered trading tool called "TradingClaw." Victims interested in financial trading tools are lured into downloading a ZIP file that contains the malware. Needle Stealer is designed to exfiltrate a wide range of sensitive information, with a focus on browser data, active login sessions, and cryptocurrency wallets. The campaign employs techniques like DLL hijacking to evade detection and appears to be part of a broader operation, with the same stealer being distributed by other malware loaders like Amadey and GCleaner.

Threat Overview

The campaign targets individuals interested in cryptocurrency and financial trading, a demographic likely to have valuable digital assets. The tradingclaw[.]pro website acts as the initial lure, using social engineering to convince users to download and execute the malicious payload. The website exhibits evasive behavior, sometimes redirecting users to different sites to avoid analysis.

Once executed, Needle Stealer begins harvesting data from the infected device. Its primary targets are:

• Browser Data: Cookies, saved passwords, and browsing history from popular web browsers.
• Login Sessions: Hijacking active sessions to gain access to online accounts without needing credentials.
• Cryptocurrency Wallets: Searching for wallet files and browser extensions related to cryptocurrency.

The stolen data is exfiltrated to a command-and-control (C2) server. The C2 panel includes functionality to generate fake login pages, suggesting the attackers plan to use the stolen data for further, more targeted phishing attacks.

Technical Analysis

The infection chain demonstrates several evasion techniques:

1. Social Engineering Lure: A professionally designed website promoting a fake but plausible tool (T1204.001 - Malicious Link).
2. Payload Delivery: The malware is delivered as a ZIP file, a common method to bypass email gateways.
3. DLL Hijacking: The initial executable uses DLL hijacking (T1574.001 - DLL Search Order Hijacking) to load the malicious payload. This involves placing a malicious DLL in a location where a legitimate, trusted application will load and execute it, making the activity appear benign.
4. Credential Theft: The core functionality of the malware is to steal credentials from various sources, particularly web browsers and crypto wallets, mapping to T1555 - Credentials from Password Stores and T1552.001 - Credentials In Files.
5. Exfiltration: Stolen data is sent to attacker-controlled C2 servers like chrocustumapp[.]com and google-services[.]cc.

Impact Assessment

Victims of Needle Stealer face a high risk of significant financial loss and privacy invasion.

• Financial Theft: The theft of cryptocurrency wallet data can lead to the immediate and irreversible loss of funds.
• Account Takeover: Stolen browser sessions and saved passwords can allow attackers to take over email, social media, and financial accounts.
• Identity Theft: The combination of stolen data can be used to commit identity fraud.
• Further Attacks: The victim's compromised accounts can be used to launch attacks against their contacts.

IOCs — Directly from Articles

Cyber Observables — Hunting Hints

Security teams can hunt for signs of info-stealer activity:

Detection & Response

• Detection: Use endpoint security solutions with behavioral detection to identify processes accessing sensitive browser files. Network monitoring with DNS filtering and web proxy logs can block and detect connections to known malicious C2 domains. D3FEND's D3-UA - URL Analysis can be used to block the initial lure website.
• Response: If an infection is detected, immediately isolate the machine from the network. The user must assume all credentials stored on or entered from that machine are compromised. All passwords should be changed from a clean device, and all active sessions for online accounts should be terminated. If cryptocurrency wallets were present, any remaining funds should be moved to a new, secure wallet immediately.

Mitigation

1. User Education: Train users to be skeptical of software advertised on social media or untrusted websites. Emphasize the danger of downloading and running executables from unknown sources.
2. Endpoint Security: Use a reputable endpoint security solution that can detect and block known malware and suspicious behaviors.
3. Attack Surface Reduction: Use browser settings or extensions to block malicious scripts and ads. Configure Windows to show file extensions by default, so users can distinguish a .exe file from a document.
4. Credential Management: Encourage the use of password managers, which can help mitigate the impact of stolen browser credentials. Use hardware wallets for storing significant amounts of cryptocurrency, as they are not vulnerable to this type of stealer malware.