HQ/EMEAFind out how we can help your business
A new sophisticated phishing campaign takes advantage of an elusive infostealer malware to exfiltrate various types of data. Based on reports, this malware targets not only commonly stolen data types such as saved passwords but also session cookies, credit card info, browser history, and even Bitcoin-related extensions.
Subsequently, the operation delivers the stolen information as a zipped attachment to an attacker-controlled email address. This technique shows a new advancement in information stealer malware capabilities.
The phishing campaign deploys the infostealer malware by tricking victims into opening attachment files.
The infostealer malware is distributed through a phishing email that entices victims to open an attached purchase order file.
These emails contain grammatical problems and appear to have been sent from a false address. The attachment includes an ISO disc image file, which accurately reproduces data from optical disks such as CDs or DVDs.
In addition, this picture file contains an HTA file, which allows apps to operate on the desktop without the security restrictions of a browser. Once a victim runs the HTA file, the campaign will activate a series of malicious payloads.
This process begins with the download and execution of an obfuscated JavaScript file from a remote server, which then invokes a PowerShell script to retrieve a ZIP file from the same server that contains Python-based information stealer malware.
This malware quickly collects data before deleting all files, including itself, to avoid threat analysis attempts.
On the other hand, the researchers explained that the information stealer malware can steal extensive browser data and files. The malware can also take master keys from Chrome, Edge, Yandex, and Brave while capturing session cookies, stored passwords, credit card information, and browser histories.
Furthermore, the malware copies data from Bitcoin-related browser extensions such as MetaMask and Coinbase Wallet. The malware then targets PDF files and zips entire directories, including the Desktop, Downloads, Documents, and %AppData% folders.
The stolen data is emailed to various attacker-controlled addresses at the domain maternamedical.top, each of which is allocated for specific information. This new phishing campaign creates a new risk for users; hence, everyone should be careful of opening attachments from unknown sources or unsolicited communications to avoid falling victim to these threats.
