The IT security researchers at Proofpoint have discovered a new malware developed to steal saved login and credit card credentials from Chrome and Firefox browsers. Apart from credential stealing capability, the malware also steals sensitive documents from the targeted device.
Dubbed Vega Stealer by researchers; the malware is a variant of August Stealer which was discovered in December 2016 stealing saved passwords, documents, and other sensitive data from Skype, Opera, Chrome and Firefox browsers.
Vega Stealer is being distributed through a spam email campaign with different subject lines including “Online store developer required.” The email comes with a Microsoft document attachment called “brief.doc” containing malicious macros which once enabled downloads the Vega Stealer payload.
Once Vega Stealer infects a targeted system it starts stealing data and searches the victim’s desktop and sub-directories for files in different formats including .doc, .docx, .txt, .rtf, .xls, .xlsx, .pdf.” This is done for exfiltration after which the malware sends the stolen data to a remote command and control (C&C) server.
Screenshot of the document containing Vega Stealer (Credit: Proofpoint)
Furthermore, like its predecessor, Vega Stealer malware is also written in .NET and shares similar classes. However, August did not have this hard-coded in the malware but rather configurable in the C&C panel.
Moreover, the Chrome browser stealing functionality in Vega is a subset of the August code; August also stole from other browsers and applications, such as Skype and Opera. Vega’s new functionality includes new network communication protocol and expanded Firefox’s stealing functionality.
For now, the prime target of Vega Stealer is advertising, marketing, PR, retail, and manufacturing sector. However, researchers believe that the obfuscated macros used in this campaign are for sale and used by not one but multiple threat actors including those behind Emotet banking trojan.
“The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan,” said Proofpoint researchers.
“However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit or IcedID. As a result, we attribute this campaign to the same actor with medium confidence.”
“While Vega Stealer is not the most complex or stealthy malware in circulation today, it demonstrates the flexibility of malware, authors, and actors, to achieve criminal objectives,” the firm’s researchers said. “Because the delivery mechanism is similar to more widely distributed and mature threats, Vega Stealer has the potential to evolve into a commonly found stealer.”
“Vega Stealer…could have longer lasting impacts if further developed and distributed. Due to the distribution and lineage, this threat may continue to evolve and grow,” researchers concluded.
For your security, it is advised to avoid clicking unknown links and downloading attachments sent by anonymous users. Also, scan suspicious files on VirusTotal and keep your system up to date.
