PaloAlto researchers discovered SquirtDanger, a botnet malware family likely developed by the Russian cybercriminal known as TheBottle. SquirtDanger connects to a remote command and control (C2) server via TCP connections and maintains persistence on infected machines through a scheduled task that automatically runs every minute. This botnet contains numerous functionalities including the ability to list and kill processes, take screenshots, clear browser cookies, and send, download, upload, or delete files. Additionally, SquirtDanger has the ability to steal passwords from numerous browsers including Chrome, Firefox, Kometa, Amigo, Torch, Opera, and the Yandex Browser and is capable of locating cryptocurrency wallets and replacing the victim’s wallet address with another value.
Reporting and Technical Details
- April 2018: SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle (Palo Alto Networks)