Security researchers have observed a new infostealing malware campaign that grabs an unusually large and diverse set of files.
In its report, Barracuda noted the infostealer is rather unusual since it grabs more files than other infostealers go for. Besides the regular browser information, cookies, saved passwords, credit card information, download history, and autofill information, the infostealer also tries to collect all .PDF files found on Desktop, Downloads, Documents, and the Recent folder in %AppData% and %Temp%\Browser.
Finally, it also steals any cryptocurrency-related browser extension folders, such as MetaMask, BNB Chain Wallet, Coinbase Wallet and Ronin Wallet.
Unusual infostealer
Barracuda explained how the unnamed threat actors launched a phishing campaign that distributes an .ISO file, masquerading as a purchase order.
All of the emails are sent from the same address – ‘yunkun[@]saadelbin[.]com’, claiming to be a company account. However, the company name and all contact details are fake.
If the victim still runs the attachment, they will see an HTA file – an HTML application that uses web technologies, but runs on the desktop instead of a web browser. This allows the malware to work around any security features built into the web browser, Barracuda added.
This HTA file will download and run an obfuscated JavaScript file which, in turn, downloads and runs a PowerShell file. The PowerShell file, ultimately, downloads a .ZIP file which holds the final payload, the infostealing Python script.
“The amount of information collected is extensive and sensitive,” the researchers explained. “The stolen saved passwords and cookies could help an attacker to move laterally in the organization, while credit card information and bitcoin wallet information could be used to steal money.”
As usual, the best way to defend against phishing attacks is to be mindful of incoming emails and to be careful when downloading and running attachments.
More from TechRadar Pro
https://cdn.mos.cms.futurecdn.net/YbizeHRMkF5QLe6eeYypqc-1200-80.jpg
Source link
