Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Predator Malware Information

    • Updated:
    • 21 Oct 2020
    • Product/Version:
    • Platform:
Summary

The Predator the Thief malware first appeared in July 2018 and is used to steal usernames, passwords, browser data and the contents of cryptocurrency wallets, as well as take photos using the infected victim's webcam. The malware is commonly sold on underground hacking forums and was also featured as part of a bundle of six different forums of malicious software.

This malware is now delivered through malspam with attachments using fake purchase order documents as lure. It has tricks to avoid detection and analysis by using shellcode to effectively detect debuggers and sandboxes. It uses legitimate AutoIt software to execute payload of the malware. The AutoIt is a scripting language intended to automate basic tasks in Windows graphical user interface (GUI). The gathered information is packed and sent to the command and control (C&C) server of the malware attackers. The data package is sent via Hypertext Transfer Protocol (HTTP) POST requests, alongside fingerprint data and sensitive network configurations.

This malware gathers the following data and sends it to its servers:

  • User credentials and other sensitive data such as computer software and specifications
  • Credit card user credentials
  • Information from various local and cloud folders
  • Cryptocurrency files from Ethereum, Multibit, Electrum, Armory, Bytecoin and Bitcoin files
  • Cookies from web browsers such as Chrome, Firefox
  • File Transfer Protocol (FTP) credentials from FTP software such as FileZilla, WinFTP
  • Gaming accounts from Steam, Discord
  • Screenshots of desktop and photos of user from webcam

Capabilities

  • Information Theft

Impact

  • Violation of user privacy - gathers user credentials, takes screenshots and steals user information

Additional Threat Reference Information

Infection Chain

Spam sample (Purchase Order Attachment Spam):

Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 522643872-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.620.0043844-
Predictive Machine LearningYesIn the Cloud-Troj.Win32.TRX.XXPE50FFF033
Troj.Win32.TRX.XXPE50FFF034
File detection (VSAPI)YesENT OPR 15.620.0043871HS_PREDATOR.SM
Trojan.AutoIt.PREDATOR.F
Trojan.W97M.PREDATOR.AB
Trojan.Win32.PREDATOR.I
TrojanSpy.Win32.PREDATOR.GL
Network PatternYesNCIP 1.13971.0043796PREDATOR  - HTTP (Request)
Behavioral Monitoring (AEGIS)YesTMTD OPR 189743588-
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000241968
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.