Vega Stealer Malware Harvesting Identifications from Web Browsers

May 16, 2018


A new variation of August Stealer – called Vega Stealer – is being dispersed in small phishing promotions targeting marketing, advertising, and public relations companies and the manufacturing and retail businesses. While the promotions are extremely targeted, the malware might possibly be utilized in much more extensive campaigns and become the main danger.

Vega Stealer doesn’t have the same range of skills as its predecessor, even though it does include many new characteristics that make it a substantial danger, as per safety scientists at Proofpoint.

The malware is being dispersed through a normal phishing promotion involving Word document attachments with hateful macros that work as downloaders for the Vega Stealer payload in a two-step procedure, first copying obscured JScript/PowerShell script which in turn copies Vega Stealer malware.

The electronic mails captured by Proofpoint had a document with the name ‘brief.doc’ with different subject lines utilized, including ‘Online Store Developer Needed.’

Some of the electronic mails were directed at particular people, others were sent to circulation lists generally used by companies such as info@. The electronic mails were sent in small volumes with the targets apparently cautiously chosen. Proofpoint notices that one more campaign was being carried out by the same threat actors utilizing the August Stealer payload, with many of the same companies targeted the previous day.

Vega Stealer is written in .NET and seems to be mainly focused on stealing saved identifications from Chrome and Firefox, and is able of exfiltrating outline information, cookies, as well as passwords. The malware also takes a screenshot of the infected machine and carries out a search for generally used file kinds such as .doc/docx, .xls/xlsx, .txt, .rtf, and PDF files and exfiltrates those files together with the collected identifications.

The scientists note the document macro utilized to copy the payload is presently utilized by many threat actors and is most likely for sale on darknet markets, even though URL designs from the macro indicate this campaign is being carried out by a threat actor known to disperse the Emotet banking Trojan and several other banking Trojans.