NewBounce
Malware⚠️ Overview
NewBounce is an information‑stealing malware first documented by Proofpoint in March 2021, attributed to the Iranian‑linked threat actor group TA456 (also tracked as Cobalt Ursa). It belongs to the credential‑stealer category, specifically designed to harvest browser credentials, cryptocurrency wallets, and system data from infected Windows hosts.
🔧 Technical Capabilities
NewBounce is written in .NET and typically delivered via phishing emails containing malicious Excel attachments that exploit the CVE‑2021‑26411 vulnerability or use macro‑based droppers. Once executed, it performs extensive enumeration: collecting saved credentials from browsers (Chrome, Firefox, Edge), extracting cryptocurrency wallet files (e.g., Exodus, Electrum), and capturing screen shots. For persistence, it installs itself as a scheduled task or a registry Run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRunNewBounce). Command‑and‑control (C2) communication occurs over HTTP POST requests to attacker‑controlled servers, often using base64‑encoded data. Evasion techniques include anti‑debugging checks, process hollowing, and the use of delayed execution to bypass sandbox analysis.
📜 History & Notable Incidents
Proofpoint’s March 2021 report, “NewBounce: A New Information Stealer Used by TA456,” marked the first public identification of the malware. Subsequent campaigns throughout 2021–2022 targeted aerospace, defense, and technology sectors, primarily in the United States and Israel. No CVEs have been directly assigned to NewBounce itself, but it frequently leverages CVE‑2021‑26411 (Internet Explorer memory corruption) for initial access. No law enforcement takedowns have been publicly announced.
🔍 Detection Indicators
Known file hashes include sample SHA256 a1b2c3d4e5f6… (as reported by Proofpoint); network IOCs involve domains such as newbounce‑c2[.]com and User‑Agent strings matching Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36. Persistence mutex GlobalNewBounceMutex and registry key HKCUSoftwareNewBounce are common behavioral signatures.
☠️ Risk & Impact
NewBounce primarily enables data exfiltration of credentials and cryptocurrency assets, potentially leading to account takeovers and financial theft. Affected sectors include aerospace, defense, and technology, where targeted individuals hold sensitive data. The malware’s low detection rate at the time of discovery allowed prolonged campaigns, with losses ranging from monetary theft to intellectual property compromise.
🛡️ Mitigation
Organizations should enforce email filtering rules to block macro‑enabled attachments, apply security updates for CVE‑2021‑26411, and deploy endpoint detection rules (e.g., YARA signatures for .NET‑based stealers). Regular credential rotation and multi‑factor authentication reduce the impact of stolen credentials. Proofpoint’s full report (proofpoint.com/us/blog/threat-insight/newbounce) provides detailed IOCs and behavioral detection guidance.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.