A new malware campaign has been launched by hackers targeting saved financial information and login credentials from both Firefox and Google Chrome browsers.
This malware, dubbed “Vega Stealer,” has been designed to target businesses in the retail and public relations industries since they’re more likely to deal with the financial information of their clients.
The Vega Stealer malware is believed to be a variant of another known malware program called August Stealer, but with more potential to develop into a serious problem for businesses.
Security researchers from Proofpoint say that the malware would wreak much more havoc if the hacker(s) involved used more advanced methods than the simple phishing campaigns being used to spread the Vega Stealer malware.
What Vega Stealer Can Do
Vega Stealer is written in .NET, just like August Stealer, which was capable of lifting sensitive documents, credentials and cryptocurrency wallet details from the machines it infected.
The Vega Stealer malware proves to be a more advanced version of the August Stealer. It has capabilities similar to those of the August Stealer but comes with upgrades such as the ability to steal credentials, keys and other sensitive information from the Firefox browser, and a new network communication protocol.
From the Chrome browser, the Vega Stealer harvests saved profiles, credit card numbers, passwords, and even cookies. From the Firefox browser, “key3.db” and “key4.db” files—which store specific keys—and “cookies.sqlite” and “logins.json” files—which contain cookies and login credentials—are harvested before Vega Stealer moves on to system files.
In addition to scanning and exfiltrating all files in the system with the extensions .xlsx, .xls, .rtf, .doc, .docx, .txt, and .pdf, the Vega Stealer malware also takes a screenshot of the machine.
In their report, Proofpoint researchers say that currently, the campaign is mainly targeting businesses, specifically in the manufacturing, retail, public relations, marketing and advertising industries.
Vega Stealer Spread Through Phishing Campaigns
As sophisticated as this new variant of the August Stealer malware is, the attack vector used to propagate it is basic at best. The emails mostly target business distribution lists and some individuals in charge of lists such as “[email protected]” and “[email protected]” and so on.
An attachment labeled “brief.doc” can be seen in these phishing emails. The file is the host of the malicious macros that proceed to download the Vega Stealer malware executables once it’s opened.
The malicious macros first retrieve an obfuscated PowerShell script, which is the first half of the payload. This script, once executed, proceeds to download the executable Vega Stealer malware from the command and control center of the malicious actor.
The entire payload labeled “ljoyoxu.pkzip” is stored in the “Music” directory. When the Vega Stealer executable is finally in place, a command line instructs it to begin harvesting information.
Researchers Suspect the Same Threat Actor, Albeit Tentatively
Proofpoint researchers are moderately confident that the URLs and document macros used in the Vega Stealer campaign could point them to a threat actor linked to previous financial malware attacks as well.
However, the findings don’t strongly support this. While the document macros used in the campaign are believed to be commodity macros for sale to any interested parties, the URL patterns pointed to the same threat actor involved in distributing the Ursnif banking Trojan.
This Trojan is commonly used to download payloads like GootKit and IcedID.
The document macros, on the other hand, have already been linked to the threat actor responsible for spreading the Emotet Trojan. As such, Proofpoint researchers cannot say with full confidence whether the Vega Stealer malware is directly linked to a specific threat actor.
However, the researchers suspect that it could be connected to a few threat actors they have been tracking down.
At the moment, Vega Stealer remains as innocuous as it is mainly due to the fact that the campaign is still quite simple. According to Proofpoint, whether it develops into a common threat for businesses is yet to be known.
What the researchers are certain about is that it has a lot of potential to evolve into something much more difficult to deal with.