KPOT Stealer

The KPOT Stealer is spyware that collects passwords and other credentials, including the possibilities of its 'grabbing' files and compromising the accounts of social services and FTP clients. It's available for rent on the dark Web, and threat actors are circulating it by compromising freeware sites' downloads and hosting phishing copycat domains. Users can protect themselves with anti-malware solutions for identifying and uninstalling a KPOT Stealer, after which, they should re-secure all at-risk login credentials.

Sticking Your Foot into a Pot of Wallet Trouble

The KPOT Stealer is a flexible spyware product that offers cheap (for less than two hundred dollars) services to criminals that hire it. Although the efficacy of its attacks scarcely matches that of more well-funded campaigns like those of Duqu, it can, nevertheless, collect a range of information and shows off few or no symptoms while it does this. What's more of interest to malware researchers is the variety of exploits that the KPOT Stealer's threat actors are using for its dissemination.

The installation exploits for KPOT Stealer campaigns fit into two categories: social engineering tricks and outright hackings of download links. In one case, threat actors design fake versions of websites like the Jaxx cryptocurrency domain and host copycat installers that, besides including the Jaxx client, also silently drop the KPOT Stealer spyware onto the system. Other attacks hack legitimate sites like that of VSDC video-editing program and, once again, change the download by adding on the Trojan. No additional user warnings are verifiable through malware experts for triggering during these infections.

The KPOT Stealer employs general data-exfiltrating features such as:

• It can collect credentials, such as passwords, from most browsers, including derivatives of Chromium or Mozilla's Firefox, as well as Internet Explorer.
• It harvests messaging data for Skype, Telegram, Discord, and other communication software.
• It cracks accounts for FTP clients such as FileZilla and TotalCommander.
• The attacker can instruct KPOT Stealer's uploading files from the system, which can include logs, cookies or other content.
• The KPOT Stealer, also, supports capturing screenshots in a PNG format.

Throwing Out an Old, Russian Pot

The KPOT Stealer is selling via and, seemingly, being purchased by, Russian threat actors for deployment in campaigns like the previously-outlined ones. While its set of features isn't as comprehensive as they could be and lacks the sophistication of more specialized, Man-in-the-Middle style spyware, a KPOT Stealer infection can give an attacker access to passwords, message history, and most other forms of information. Besides its independent risks, malware researchers note a tendency for KPOT Stealer's installation exploits for including additional threats like Trojan downloaders or Clipper – a cryptocurrency wallet hijacker.

Looking over account activity may lead to circumstantial evidence of an otherwise-invisible KPOT Stealer infection, although this silver lining is far from being guaranteed. Traditional anti-malware solutions should identify most of the components of an installation exploit and block corrupted domains. After removing the KPOT Stealer through appropriate anti-malware services, victims should change the credentials for any affected accounts.

The KPOT Stealer is an extremely cost-efficient option for any spyware campaign, providing the threat actor's willing to deal with the asking price. Since it takes few victims for deployment to make that money back, users should protect themselves appropriately, especially when they're downloading something off the Web.