Malicious trading website drops malware that hands your browser to attackers

Key Points:

• A new campaign is distributing the Needle Stealer malware via a fake trading website, TradingClaw, which masquerades as an AI trading assistant.
• The malware targets sensitive information, including browser data and cryptocurrency wallet details, and employs techniques like DLL hijacking and process hollowing to infect systems.
• Recommended actions include downloading software only from official sources, regularly reviewing browser extensions, and running full scans with security software like Malwarebytes.

Technical Details: Needle Stealer is a modular infostealer developed in Golang that utilizes DLL hijacking to execute malicious code within legitimate processes. The malware communicates with multiple command-and-control servers for data exfiltration and further instructions.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1055.001 - Process Hollowing (Execution)
• T1060 - Registry Run Keys / Startup Folder (Persistence)

IOCs Mentioned:

• Hashes: 95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed, 0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0
• Domains: Tradingclaw[.]pro, Chrocustumapp[.]com, Chrocustomreversal[.]com, google-services[.]cc, Coretest[.]digital, Reisen[.]work
• IPs: 178[.]16[.]55[.]234, 185[.]11[.]61[.]149, 37[.]221[.]66[.]27, 2[.]56[.]179[.]16, 178[.]