The company’s FortiGuard Labs discovered the stealer when it came across suspicious-looking files in a cursory review.
The good news is that the analysts believe it not to be sophisticated in nature, but even so, Fortinet suggests that the information stolen from victim machines could go on to be used for future attacks.
ThirdEye infostealer witnessed in the wild
Suspicions were raised when the team found a Russian file name in a file archive. The name, “Табель учета рабочего времени.zip,” translates to timesheet. Inside the zipped folder are two files that pose as documents, but are actually executables.
The .exe files are designed to target Windows machines, which have long been the subject of attacks. However, recent months have seen many attackers shift their attention to Android devices, with multiple reports of malicious apps being hosted in the Play Store.
When successfully deployed, the malware steals information like BIOS and hardware data and sends it back to its C2 server.
While early versions of the malware, dating back to April, collected little more than client_hash, OS_type, host_name, and user_name, modifications a few weeks later added new parameters targeting CPU and RAM information, network interface data, and BIOS information.
Fortinet believes that the malware serves the purpose of “understanding and narrowing down potential targets,” and that it might be looking to target Russian victims given the language used and the fact that it was found on a public scanning service from the country.
Currently, the analysts aren’t overly concerned with the malware’s sophistication, but evidence of developments suggest that future versions could be even more intrusive.