Home Malware Programs Malware Predator the Thief

Predator the Thief

Posted: May 29, 2019

Predator the Thief is the name of an info stealer that is being sold on Russian forums by a user with the name ‘Alexuiop1337’ – the likely creator of this product. The Predator the Thief software has undergone several updates since its release, and the operator has ramped up its price from $35 to $80, but this has not extinguished the interest in their offer certainly. This info stealer has been used in several large-scale campaigns targeting users worldwide, and it is very likely that we will see more of it because of its rich features and low price.

Although threats of this sort may be distributed with the use of a broad range of propagation techniques, the attackers are likely to rely on fraudulent email attachments. Some of the campaigns linked to the Predator the Thief stealer used macro-laced documents, while others relied on carefully crafted WinRAR archives that make use of the CVE-2018-20250 exploit. Regardless of the infection vector used, the actions of the Predator the Thief are always the same – it checks if the system is being used for malware debugging and then choose whether to drop its files and proceed with the attack or terminate its operation.

Once the Predator the Thief has been initialized, it will get to work and scan specific folders and Registry keys that are used to store sensitive information used by a broad range of applications. This info stealer targets an impressive number of programs:

  • Google Chrome, Mozilla Firefox, Opera, Sputnik, Torch, Vivaldi, Comodo Dragon, and other browsers based on the Chromium project.
  • The FileZilla and WinFTP software suites.
  • The ‘.wallet’ and ‘.dat’ files used by Ethereum, Electrum, Armory, Bitcoin, Bytecoin, Multibit and other cryptocurrency wallets.
  • The stealer also targets Discord by trying to collect the ‘https_discordapp_*localstorage,’ which might enable the remote attacker to access the victims’ accounts if they use the correct configuration.
  • The stealer exfiltrates files used by the Steam platform, thus giving the attacker a chance to bypass Steam’s 2FA or access the victim’s account via offline mode.

After the Predator the Thief collects all data, it creates a file called ‘information.log’ and stores the victim’s IP address, approximate coordinates, time zone, country, city and ZIP code in it. This file is placed in an archive alongside all captured information, and it is then transferred to the attacker’s Command & Control server. After this task is completed, the Predator the Thief wipes itself out and erases all traces of its activity.

Info stealers are one of the more threatening pieces of malware you may come across because their victims often do not realize that anything shady took place on their computer. These unsafe applications are meant to work swiftly and silently so that often their victims may end up learning about the attack when they find out that many of their accounts have been compromised.

Loading...