Researchers have reported a new malware, called Vega Stealer. It’s a variant of crypto-malware August Stealer that is designed to harvest credentials, credit card details, sensitive documents and cryptocurrency wallet details saved on Chrome and Firefox browsers. The malware is currently being focused in phishing campaigns, but researchers believe that Marketing, Advertising, Public Relations, Retail and Manufacturing organizations are also being targeted.
Researchers at Proofpoint were the first to notice and report the malware. According to them, the malware is being spread through a phishing campaign, where emails are sent to victims, with a subject line saying, “Online store developer required”. This email contains an attachment called, “brief.doc”, which further contains malicious macros that download the Vega Stealer Payload.
Once the document is downloaded, the macros retrieve the payload in a two-step process. The document executes a request that retrieves an obfuscated JScript/PowerShell script. This in turn creates the second request, which downloads the Vega Stealer payload and saves it in the user’s “Music” directory. Once downloaded, the malware is executed automatically via the command line.
On Chrome, the Vega Stealer is designed to harvest saved credentials, credit cards details, profiles and cookies. On the Firefox browser though, the malware looks for specific files that carry different passwords and keys – ‘key3.db,’ ‘key4.db,’ ‘logins.json,’ and ‘cookies.sqlite’. Besides that, the malware can also take screenshots of the infected PC and can scan for files ending in – .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf.
Vega Stealer serves as a good example of how hackers can tweak existing malware to easily target organizations. Because of this, organizations should train their employees and make them aware of how these phishing campaigns work. This is very important because one compromised system can infect other systems in the same network.
15/05/2018 09:36 AM