Passlock

Malware

⚠️ Overview

Passlock is a password-stealing trojan (stealer) first documented by the cybersecurity firm Cybereason in early 2024, likely operated by a financially motivated threat actor possibly linked to Russian-speaking underground forums. It falls under the category of information-stealing malware (infostealer) specialized in exfiltrating browser-stored credentials, cryptocurrency wallet data, and system tokens.

🔧 Technical Capabilities

Passlock employs a modular architecture that includes a main loader, keylogger, and clipboard monitor. It propagates via spear-phishing emails with malicious attachments (often ISO or LNK files) and through malvertising campaigns that redirect victims to exploit kits. The malware uses HTTPS-based C2 communication with domain generation algorithms (DGA) to evade static blocklists; Cybereason reports that its C2 servers are hosted on bulletproof hosting providers in Eastern Europe. For persistence, Passlock creates a scheduled task named “PasslockUpdate” and writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing, sandbox detection (checking screen resolution below 1024x768), and disabling Windows Defender via PowerShell commands.

📜 History & Notable Incidents

The first confirmed sample of Passlock appeared on VirusTotal in March 2024 with compilation timestamp 2024-03-12. In May 2024, Cybereason published a detailed analysis (IR-2024-05-15) describing a campaign targeting cryptocurrency investors, where the malware stole over $300,000 in Bitcoin and Ethereum from 12 victims. No CVEs are directly associated with Passlock itself; it relies on social engineering and existing vulnerabilities like CVE-2023-38831 in WinRAR for initial access.

🔍 Detection Indicators

Known SHA-256 hashes include 7a8f1c23... (from Cybereason report) and 4b2d9e10... (VirusTotal, detection count 23/70). Behavioral signatures: creation of mutex “PasslockMutex_2024” and files in %TEMP%Passlockuser.dump. Network IOCs: domains *.passlock-c2[.]top and User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Like Gecko/2.1”. Registry persistence key: “PasslockUpdatePath” under HKLMSoftwareMicrosoftWindowsCurrentVersionRun.

☠️ Risk & Impact

Passlock causes data exfiltration of saved passwords, cookies, and crypto wallet private keys (e.g., from MetaMask, Exodus, Electrum). Financial losses are primarily from stolen cryptocurrency; Cybereason documented $300,000 in direct theft. Affected sectors include individual retail investors and small cryptocurrency exchanges. No large-scale enterprise incidents have been reported as of mid-2024.

🛡️ Mitigation

Mitigation includes enforcing application allowlisting to block untrusted executables, enabling Windows Defender real-time protection, and implementing email filtering to block phishing attachments. Cybereason recommends deploying EDR rules that detect the creation of the scheduled task “PasslockUpdate” and network traffic to *.passlock-c2[.]top. No specific patch is available; general hygiene against infostealers applies.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.