ThirdEye, a new spyware that steals information, has been given a medium severity level by Fortinet, a cybersecurity mesh platform, which indicates that the risk to victims could be high.
The company’s FortiGuard Labs found the stealer after performing a quick scan on some files that appeared suspicious.
The good news is that the analysts do not think it is particularly clever, but Fortinet warns that the data taken from the victim devices could still be used to launch future attacks.
The very first ThirdEye spyware sample was uploaded to the VirusTotal website on April 4, 2023.
ThirdEye Witnessed In Wild
Suspicions were aroused when the crew discovered a Russian file name in a file archive. The name, “Табель учета рабочего времени.zip,” translates to timesheet. Two files that appear to be documents but are actually executables can be found inside the compressed folder.
Windows workstations, which have frequently been attacked, are the intended target of the ‘.exe’ files. However, there have been several allegations of malicious apps being hosted in the Play Store in recent months, as many attackers have turned their attention to Android-based devices.
After the successful deployment, the malware steals information such as BIOS and hardware data and sends it back to its C2 server.
Early versions of the malware, dating back to April, collected little more than client hash, OS type, hostname, and user name, but some modifications were added a few weeks later, with new parameters targeting CPU and RAM information, network interface data, and BIOS information.
Fortinet believes the malware’s purpose is to understand and narrow down potential targets, and that it may target Russian victims based on the language used and the fact that it was found on a public scanning service in the country.
Currently, analysts are not overly concerned about the malware’s complexity, but developments suggest that future versions could be even more intrusive.