Researchers at the security firm Proofpoint have taken note of a new malware that is honing in on the “Marketing/Advertising/Public Relations and Retail/Manufacturing” industries. The campaign is, according to a report from Proofpoint, finding most of its victims via attacks on Google Chrome and Mozilla Firefox browsers (although infected computers are also targeted). Dubbed Vega Stealer malware, it appears to be a variant of the August Stealer malware discovered (again by Proofpoint) in December 2016.
The main method of the campaign is sending phishing emails to individuals based on a mailing list. The mailing list contains targeted domains like “[email protected],” “[email protected]”, and “[email protected]” in the hopes that specific industry targets, the ones mentioned previously, are reached. The emails themselves contain an attachment with an executable macro that, when enabled, will begin its infection.
Proofpoint describes the process in detail as follows:
The macro retrieves the payload in a two-step process in which junk functions iterate while simultaneously building a string to be executed using a GetObject function. This string is the first request in the two-step process. The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer. The payload is saved to the victim machine in the user’s “Music” directory with a filename of “ljoyoxu.pkzip”. Once this file is downloaded and saved, it is executed automatically via the command line.
By utilizing the tried-and-true method of macro-cloaked malware, the attackers utilizing Vega Stealer malware are almost guaranteeing success. So what exactly does success look like in reference to this particular campaign? Outside of the known industry targets discussed earlier, it is not entirely obvious. There are some hints however as the Vega Stealer malware allows, for instance, attackers to access browser data that includes passwords, credit card data, and cookies.
The data-gathering stage is often the first step of a larger cyberattack, so it would be prudent for IT professionals in marketing, advertising, public relations, retail, and manufacturing to watch their networks closely. I have discussed the issues of macro-based malware attacks and how easy one can fall prey to them. On the flip side, with a little education, these attacks can be mitigated. Vega Stealer is only as strong as IT divisions and individuals allow it to be.
Featured image: Flickr / Christiaan Colen