Taurus Project stealer now spreading via malvertising campaign

For the past several months, Taurus Project—a relatively new stealer that appeared in the spring of 2020—has been distributed via malspam campaigns targeting users in the United States. The macro-laced documents spawn a PowerShell script that invokes certutil to run an autoit script ultimately responsible for downloading the Taurus binary.

Taurus was originally built as a fork by the developer behind Predator the thief. It boasts many of the same capabilities as Predator the thief, namely the ability to steal credentials from browsers, FTP, VPN, and email clients as well as cryptocurrency wallets.

Starting in late August, we began noticing large malvertising campaigns, including, in particular, one campaign that we dubbed Malsmoke that distributes Smoke Loader. During the past few days we observed a new infection pushing the Taurus stealer.

Campaign scope

Like the other malvertising campaigns we covered, this latest one is also targeting visitors to adult sites. Victims are mostly from the US, but also Australia and the UK.

Traffic is fed into the Fallout exploit kit, probably one of the most dominant drive-by toolsets at the moment. The Taurus stealer is deployed onto vulnerable systems running unpatched versions of Internet Explorer or Flash Player.

Figure 1: Traffic capture showing the malvertising chain into Fallout EK loading Taurus

Because of code similarities, many sandboxes and security products will detect Taurus as Predator the thief.

Figure 2: The string ‘TAURUS’ as seen in the malware binary

The execution flow is indeed pretty much identical with scraping the system for data to steal, exfiltrating it and then loading additional malware payloads. In this instance we observed SystemBC and QBot.

Stealer – loader combo continues to be popular

Stealers are a popular malware payload these days and some families have diversified to become more than plain stealers, not only in terms of advanced features but also as loaders for additional malware.

Even though the threat actors behind Predator the thief have appeared to have handed over a fork of their original creation and disappeared, the market for stealers is still very strong.

Malwarebytes users are protected against this threat via our anti-exploit layer which stops the Fallout exploit kit.

We would like to thank Fumik0_ for background information about Predator the thief and Taurus.

Indicators of Compromise

Malvertising infrastructure

casigamewin[.]com

Redirector

89.203.249[.]76

Taurus binary

84f6fd5103bfa97b8479af5a6db82100149167690502bb0231e6832fc463af13

Taurus C2

111.90.149[.]143

SystemBC

charliehospital[.]com/soc.exe
c08ae3fc4f7db6848f829eb7548530e2522ee3eb60a57b2c38cd1bdc862f5d6f

QBot

regencymyanmar[.]com/nt.exe
3aabdde5f35be00031d3f70aa1317b694e279692197ef7e13855654164218754