Newly discovered Windows-based malware steals sensitive information (July 5, 2023)

Ref# AL2023_55 | Date: Jul 5th 2023


Researchers from Fortinet recently discovered a previously unseen infostealer they dubbed Thirdeye, capable of stealing various sensitive information from compromised devices that can be used as steppingstones for future attacks.  


Investigations began when the researchers discovered a Russian-named archive file called .zip, which stands for time sheet in English. The archive file contains two files, both of which are double extension; for example, filename.pdf.exe or filename2.xlsx.exe. The first file is called CMK .pdf.exe which is QMS Rules for issuing sick leave in English and the second file is called .xls.exe which is time sheet, the same name used for the archive. These files execute the ThirdEye infostealer, which harvests various information such as BIOS and hardware information and also enumerates files, folders, running processes and network information. This information is gathered and sent to the malwares command and control (C2) server hosted at hxxp://shlalala[.]ru/general/ch3ckState. 

The researchers noticed a unique string used by the malware called 3rd_eye which it decrypts and uses with a hash value to identify itself to the C2 server and this is how the name was derived for the malware. 

Based on the traits of the two samples examined, the researchers managed to trace back to the very first sample of the now ThirdEye malware. The old sample was submitted to a public file scanning service on April 4th, 2023, and did not harvest much information as the recent ThirdEye sample. It collected the client_hash, OS_type, host_name, user_name of the compromised device and exfiltrated it to the C2 server hxxp://glovatickets[.]ru/ch3ckState. 

A newer sample was then discovered to have been released in later April which has been updated to collect more data from compromised devices. The additional data included BIOS release date and vendor, number of CPU, cores and RAM size, file list of the users desktop, network interface data and the list of usernames registered to the infected computer. However, this sample crashed on certain virtual machines because of missing hardware information. The threat actors behind the malware were aware of this and released an updated version a day later, fixing the crash issues and replacing the icons of the malware file. This variant used the C2 server hxxp://ohmycars[.]ru/general/ch3ckState. 

A week later, another variant was discovered, bringing about some more changes to the data collected. The new variant now checks for Total/Free disk space on the C drive, Domain name, list of network ports the infected computer is currently using, list of currently running processes, list of installed programs in the Program_Files directory, systemUpTime, list of users programs, including the version number and the volume information such as CD-ROM and other drive letters.  

The number of variants discovered ascertains that the threat actors are actively updating this malware and even though there is no solid evidence of it being used in attacks, the malware is designed to collect information from compromised machines of potential targets. It is believed that this infostealer was designed for that purpose, and ThirdEye victims may be the subject of future cyberattacks.  

Indicators of Compromise 

Below is the list of IOCs including sample hashes and C2 URLs associated with the ThirdEye malware: 




Archive file containing ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer 


ThirdEye Infostealer C2 


ThirdEye Infostealer C2 


ThirdEye Infostealer C2 


ThirdEye Infostealer C2 


The attack vector used by this malware seems to be in the form of phishing emails or spear phishing emails. It is therefore recommended to be wary of suspicious emails with potential malicious attachments or links. Delete suspicious emails and always scan any attachments downloaded from emails with a reputable anti-virus software. It would also be wise to conduct cybersecurity drills and exercises to learn more about phishing emails and how to identify them.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Newly discovered Windows-based malware steals sensitive information.pdf