Posted on

Kpot, The info stealer

Kpot, an older information stealer just got a major update and is seen in the wild again. This time Kpot brings zero persistence (meaning its never written to your computer) and instead does all of its attacks in memory before leaving your computer completely. Removing the ability to detect it without Real-time protection.

How it works

Kpot is delivered mainly through malicious email attachments, when opened they request permission to “Enable Editing” and appear to be unreadable without clicking on it. This attack vector, however, provides the attacker with full access to the computer. After the attack vector is used Kpot gets to work extracting as much as it can. First, it sends a message to its C&C server and asks what it should do. The reply can include many possible commands that can be updated in time, at the time of this writing it includes the following.

Browsers (Chrome, Mozilla, Internet Explorer): cookies, passwords, Autofill data, and history are taken and sent back to the C&C server.

Crypto: various cryptocurrency files. This can reveal numerous information regarding credentials, emails, and wallets depending on what the software used stores on the computer.

Discord: A chat interface advertised mainly to gamers: chat history, and user information can be stolen from files on the computer.

Battlenet: A game portal for World of Warcraft, StarCraft, and Diablo among others. Information regarding accounts can be stolen this way leading to compromised accounts without further fail safes such as 2-factor authentication.

Screenshots: Kpot can take pictures of what you are currently doing. This could be done when it recognizes open bank windows or other compromising information that may not be stored on your computer but are visible on the screen.

Windows credentials: Kpot can steal your windows account information such as username and password.

Grabber: A more advanced version than Qulab uses, Kpot uses its grabber to find any files that may have information but are not connected to an application. An example would be “passwords.txt” on the computer. Note that it does not focus on the naming and instead goes for taking any files ending in certain letters, such as txt, pdf, and doc to name a few.

Delete: Kpot uses this command to delete itself from the computer and any other evidence it might have been there.

Who is affected?

One of the scary things about Kpot is that is very affordable on the dark web. Coming in at only $100 with support optional it no longer takes a master hacker to obtain an information stealer that they can then use in a variety of ways. These could be slipped into downloads from illegitimate sources or used in malspam campaigns.

Indicators of Compromise

What you can do


If you or someone you know is infected with Kpot malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Kpot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal
Posted on

Qulab, The information stealer

Info stealers are nothing new, and Qulab is no exception.  Designed to get in quick and get as much data as they can, these malicious programs steal all personal information about you from your computer. In particular, Qulab is know in its current iterations to steal information from browsers, including:

  • login credentials and history
  • file transfer protocol credentials
  • Discord and telegram logs
  • Steam information and accounts

It can copy any file that ends in .txt, .maFile, and wallet.dat—in case you have anything important lying around.

How it works

Qulab is built in a scripting language called AutoIT. Generally used to automate monotonous tasks done with a keyboard and mouse, AutoIT gives the hacker the same power as a programming language, while making it easier (in most cases) to program due to it being written in a simpler language.  Once executed on your computer, Qulab sets up a few important settings, namely no tray icon, which prevents you from seeing it running. Then, Qulab starts to replace things like windows function calls and database queries with slightly modified code. By modifying these common functions to use custom versions, the malwares reduces its reliance on the computer it is infecting and allows it to cause more damage.

After running on the you computer, the malware quickly sets up persistence on the computer through well-know methods—such as running the program on computer startup—and a less well-known method that reruns the malware on any major computer change, such as:

  • changing any computer settings
  • network status changes
  • connecting to or disconnecting from charger on a laptop
  • being idle for a set period of time

The “clipper” functionality of Qulab revolves around watching what is in your clipboard (the place that stores data you copy) and changing it if it matches certain parameters. One of the most notable is that it will replace wallet IDs for cryptomining account so that the earned money proceeds to go into the hacker’s account rather than yours. If you do not have cryptomining on your computer then it won’t do anything but slow down your computer.

The “browser stealer” function checks to see which browsers you have installed and then immediately attempts to steal files with any important information. The most notable are wallet.dat, login data that is stored on the browser, and history.

Discord , a online chat service, saves messages and chat history on its local computer when installed. Qulab looks for these files and if it finds them it decrypts them and sends them off to the hacker.

Qulab also attempts to hijack steam sessions, and if the computer uses the Steam Desktop Authenticator, Qulab also attempts to steal a file that provides authentication details. This is becoming common for most information stealers.

After all this data as been extracted, Qulab sends it to the hacker and then continues to scan every couple of seconds to see if any new information has arrived.

Who is affected?

One of the scary things about Qulab is that it is very affordable on the dark web. Coming in at only $30 with support optional, it no longer takes a master hacker to obtain a powerful, flexible information stealer. It could be slipped into downloads from illegitimate sources or used in malspam campaigns.

Indicators of Compromise

  • %APPDATA%/%RANDOM_FOLDER%/
  • %APPDATA%/%RANDOM_FOLDER%/1/
  • %PAYLOAD_NAME%.module.exe (7zip)
  • %PAYLOAD_NAME%.sqlite.module.exe (sqlite3.dll)
  • IP 185.142.97.228

What you can do


If you or someone you know is infected with Qulab malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Qulab from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html