A new malware for Windows, capable of stealing confidential data from infected computers, has been discovered by researchers from Fortinet Fortiguard Labs. The malware, named “Thirdeye” or “Third Eye,” is notable because it was not previously recognized by antivirus software.
The method of spreading Thirdeye is still unknown, but it appears to use phishing campaigns. The researchers found the malware in an executable file that was disguised as a PDF document with the Russian name “CMK Rules for the design of hospital sheets.pdf.exe”. The first version of Thirdeye was uploaded to Virustotal on April 4, 2023, and had limited functionality.
Thirdeye is capable of collecting metadata from systems, such as the release date and manufacturer of the BIOS, the total and free disk space on the C drive, information about running processes, user names, and volume details. The collected data is then transmitted to the attackers’ C2 server. An interesting feature of the malware is its use of the term “3rd_eye” to communicate with the server.
There is currently no evidence to suggest that Thirdeye has been actively used in cyber attacks. However, the majority of samples of the malware that were uploaded to Virustotal originated from Russia, indicating that the attackers may be targeting Russian-speaking organizations.
“Although this malware is not sophisticated, it is designed to steal various types of information from infected machines, which could be used as a starting point for future attacks,” said the Fortinet researchers. They also noted that the collected data is valuable for identifying and narrowing down potential targets.
This is not the only recent example of malware targeting Windows users. It was recently discovered that fake Super Mario Bros video games, found on suspicious torrent sites, are being used to distribute cryptocurrency miners and a data-stealing Trojan called Umbral. Umbral, written in C#, uses Discord webhooks to extract the stolen data.
“The combination of mining and data theft leads to financial losses, a significant decrease in system productivity, and the compromise of valuable system resources,” said Cyble, a cybersecurity company.
In addition, video game users have also fallen victim to an extortionist and remote access Trojan (RAT) called Seroxen, which is based on the Python programming language. Seroxen uses a commercial engine called SCRUBCRYPT (also known as BatCloak) to connect to SCRUBCRYPT package files, thereby evading detection. There is evidence to suggest that the actors involved in the development of Seroxen also played a role in the creation of Scrubcrypt.