Editbot is categorized as an information stealer designed to extract sensitive data from compromised devices. Editbot’s infiltration often begins with social engineering tactics, employing spam messages on social media platforms.
This information stealer gathers vital device data and targets browsers to extract sensitive information, from login credentials to browsing history. Its distribution methods encompass deceptive downloads, online scams, and more. Editbot’s ability to self-propagate within local networks and storage devices raises significant concerns.
Editbot Overview
Editbot is a type of malicious software categorized as an information stealer. Its primary function is to extract sensitive information from compromised devices. This stolen data typically encompasses browsing history, internet cookies, login credentials, and other confidential information. Editbot is coded in Python and frequently distributed through spam messages disseminated via social media platforms.
Editbot on VirusTotal
| Name | Editbot |
| Detection | Python/PSW.Stealer.FR |
| Threat Type | Trojan, stealer, password-stealing virus, spyware. |
| Damage | Stolen passwords and banking information, identity theft, the victim’s computer added to a botnet. |
| Similar Behavitor | QuiteRAT, NineRAT |
Technical Analysis
The Editbot stealer employs a multi-stage approach to infiltrate systems. It typically begins with downloading a RAR archive, often acquired through social media spam messages. A batch (BAT) file and JSON files are found within this archive, with only the BAT file involved in the infection process. This BAT file establishes a connection to GitLab. Subsequently, the GitLab repository is accessed, leading to the download of a ZIP archive and a BAT file. The ZIP archive contains the Editbot malware, and the batch file is responsible for its execution. All commands are executed using PowerShell scripts.
Upon successful infiltration, Editbot collects pertinent device information, including geolocation data (such as IP address, country name, city, etc.), system details, usernames, and running processes, among other data. Editbot targets a range of web browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Brave Browser, Chromium, and Cốc Cốc (CocCoc) explicitly. Its primary objective within browsers is to extract browsing histories, internet cookies, login credentials (usernames/passwords), and other sensitive information. This harvested data is then transmitted to the attackers via Telegram.
This malicious program places a particular emphasis on acquiring login credentials for social networking and social media accounts. Cybercriminals commonly exploit these platforms to perpetrate identity theft, solicit loans or donations from the victim’s contacts, promote scams, and disseminate malware by sharing malicious files and links. It’s worth noting that malware developers continually enhance their creations and techniques. Consequently, potential future iterations of Editbot may expand their target list or introduce additional/different functionalities. In summary, software like Editbot on devices can lead to severe privacy breaches, financial losses, and identity theft, emphasizing the critical importance of robust cybersecurity measures.
Spreading Methods
Nevertheless, other avenues for proliferation are not uncommon. Malware can spread through drive-by downloads, online scams, malvertising, untrustworthy download sources, illegal software activation tools, and fake updates. Moreover, some malicious programs can self-propagate through local networks and removable storage devices like external hard drives and USB flash drives. Typically, malware is disguised or bundled with seemingly ordinary files, including archives (e.g., RAR, ZIP), executables (e.g., .exe, .run), documents (e.g., Microsoft Office, Microsoft OneNote, PDF), JavaScript files, and more. The initiation of an infected file, either through execution, running, or other methods of opening, triggers the infection chain.
Leave a Comment