Predator the Thief was started as an experimental malware which now turn into a real beast. It is a stealthy malware that focuses on stealing credentials and sensitive information like usernames, passwords, browser data, crypto wallet and payment data. It is know to be active for one and half year now. It employs several tricks and mechanisms to make it hard for security products to analyze and detect it.
Predator the Thief spread via phishing emails campaigns mostly disguised as an Invoice email. The Invoice is a Microsoft Office Document with a VBA Macro in it that in turn runs a PowerShell script. The PowerShell script downloads three files - AutoIt3.exe, B64 encoded AutoIt script and RC4 encoded Predator the Thief. VBA Macro then decodes the base64 script and runs AutoIt. The AutoIt script executes Predator using process hollowing, making it seem like a legitimate dllhost.exe process. One the system is compromised it gather all the information in a folder Zip the "package" and send it to its command and control servers and exits.