HQ/EMEAFind out how we can help your business
The newly discovered MrAnon Stealer malware campaign targets unsuspecting victims who fall to its sophisticated hotel reservation phishing scam. According to reports, these malicious email phishing campaigns target individuals seeking accommodation at various hotels.
Recent research explained that the phishing operators have a sophisticated infection method as it avoids complex technical jargon and poses as a legitimate hotel reservation company. Moreover, the phishing emails, titled “December Room Availability Query,” contain specially crafted holiday season booking details.
However, the real threat lies within the malicious PDF attachment, which conceals a downloader link that, once opened, initiates a series of events that activate the MrAnon Stealer malware.
Subsequently, the attack includes a multi-stage process involving .NET executable files, PowerShell scripts, and deceptive Windows Form presentations. The malware operators leverage tactics like false error messages to hide the successful execution of the malware, demonstrating a level of skill and strategic thinking.
The MrAnon Stealer malware executes its activities elusively to bypass detections.
Investigations revealed that the MrAnon Stealer malware, a Python-based infostealer, operates discreetly by compressing its activities to evade detection mechanisms.
The confirmed capabilities of this malware include capturing screenshots, retrieving IP addresses, and stealing sensitive data from various applications. In addition, the attackers terminate specific processes on the victim’s system and spoof legitimate connections to fetch IP addresses, country names, and country codes and to enhance its disguise.
Furthermore, MrAnon Stealer can harvest information from cryptocurrency wallets, browsers, messaging apps and VPN clients (NordVPN, ProtonVPN, and OpenVPN Connect). The attackers also use a Telegram channel as a C2 server, sending stolen data and system information, and downloading links through a bot token.
This phishing campaign, which became more prevalent last month, primarily targeted Germany. The attackers orchestrated a strategic approach, transitioning from Cstealer in July and August to the more potent MrAnon Stealer in October and November.
Users should be cautious when dealing with unsolicited emails, particularly those containing suspicious attachments. Lastly, users should be more vigilant and critical with any attachments from any email to avoid falling prey to malicious campaigns that could result in data compromise or financial loss.
