Cyber Security Threat Summary:
Researchers have recently detected a new info stealer known as ThirdEye, which exhibits various variants, all designed to target and steal victims’ data. During a preliminary analysis, FortiGuard Labs came across this highly malicious yet, relatively unsophisticated info stealer while examining suspicious files. The researchers, became suspicious after encountering a Russian archive file translated to “time sheet” in English. Inside the archive, they discovered two additional files, both with double extensions. One of the Russian files translates to “QMS Rules for issuing sick leave” in English. Upon further investigation, the researchers observed similarities with previously detected samples of the ThirdEye info stealer, which they had been monitoring since early April 2023.

“The earliest sample of ThirdEye info stealer was discovered on 3 April 2023 at 12:36:37 GMT. This sample collected client_hash, OS_type, host_name and user_name and sent it to C2 server “(glovatickets(.)ru/ch3ckState)” with a custom web request header: Cookie: 3rd_eye=. It was submitted to a file scanning service on 4 April 2023. A few weeks later, researchers found a variant which had a compile timestamp of 26 April 09:56:55 GMT. This variant collected additional data, including the BIOS vendor and release date, RAM size, CPU core number, user’s desktop files list, list of registered users on the device, and network interface data. However, this version crashes in some virtual machines. One day later, they found a new variant with just one change: it used a PDF icon. This variant used “(ohmycars(.)ru/ch3ckState)” as C2 communications. Later, another variant was found which gathered additional data such as total and free disk space on the C drive, domain name, network ports list, list of programs and version numbers, systemUptime, CD-ROM, drive letters volume information, currently running processes list, and programs installed in the Program Files directory” (HackRead, 2023).

Security Officer Comments:
The malware is designed to extract various types of system data from infected devices, including BIOS and hardware information. It is also capable of enumerating folder files, running processes, and network data. Upon execution the info stealer swiftly collects the gathered data and sends it to a command and control server. Other than this function, ThirdEye info stealer does not exhibit any additional behavior. Furthermore, researchers discovered a string named “3rd eye”, when decrypted and combined with another hash value, is used to identify the C2 server. Although, ThirdEye Infostealer is not highly sophisticated, it is evolving rapidly. ThirdEye primarily targets Windows-based systems with a medium severity level. Currently, there is no evidence to suggest that ThirdEye has been used in actual attacks.

Suggested Correction(s):
Researchers at Fortinet have published IOCs that can be used to detect the ThirdyEye Infostealer:

https://www.fortinet.com/blog/threa...eye-infostealer-pries-open-system-information

Link(s):
https://www.hackread.com/thirdeye-infostealer-windows-devices/
https://www.fortinet.com/