NEW DELHI: A new malware called Vega Stealer is doing rounds of the internet. Researchers claim that Vega Stealer is designed to gather saved financial data from Firefox and Google Chrome browsers. The researchers from Proofpointsay that the malware is being used for small phishing attacks but it has the potential to become a threat to businesses in the future.
Vega Stealer is a variant of August Stealer and it finds and steals credentials, confidential documents, cryptocurrency wallet details and other important information. The researchers claim that the malware focuses on the theft of saved credentials and and payment information from Google Chrome.
The credentials consists of passwords, profiles, saved credit card details and cookies. On the other hand, when the Firefox browser is in use then the malware focuses on specific files which store information like keys and passwords.
Apart from stealing information, the malware also captures screenshots of the infected device and scans files that end with .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration. The researchers also add that presently the malware is being utilized to target businesses in the field of advertising, marketing, retail, manufacturing and public relations.
The reachers highlight, “The macro retrieves the payload in a two-step process in which junk functions iterate while simultaneously building a string to be executed using a GetObject function. This string is the first request in the two-step process (Figure 2). The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer. The payload is saved to the victim machine in the user’s “Music” directory with a filename of “ljoyoxu.pkzip”. Once this file is downloaded and saved, it is executed automatically via the command line.”
The researchers further add, “The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan,” the researchers say. “However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID. As a result, we attribute this campaign to the same actor with medium confidence.”
Leave a Reply