Chrome and Firefox browsers targeted by Vega Stealer malware

Researchers at the security firm Proofpoint have taken note of a new malware that is honing in on the “Marketing/Advertising/Public Relations and Retail/Manufacturing” industries. The campaign is, according to a report from Proofpoint, finding most of its victims via attacks on Google Chrome and Mozilla Firefox browsers (although infected computers are also targeted). Dubbed Vega Stealer malware, it appears to be a variant of the August Stealer malware discovered (again by Proofpoint) in December 2016.

The main method of the campaign is sending phishing emails to individuals based on a mailing list. The mailing list contains targeted domains like “info@,” “clientservice@”, and “publicaffairs@” in the hopes that specific industry targets, the ones mentioned previously, are reached. The emails themselves contain an attachment with an executable macro that, when enabled, will begin its infection.

Proofpoint describes the process in detail as follows:

The macro retrieves the payload in a two-step process in which junk functions iterate while simultaneously building a string to be executed using a GetObject function. This string is the first request in the two-step process. The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer. The payload is saved to the victim machine in the user’s “Music” directory with a filename of “ljoyoxu.pkzip”. Once this file is downloaded and saved, it is executed automatically via the command line.

By utilizing the tried-and-true method of macro-cloaked malware, the attackers utilizing Vega Stealer malware are almost guaranteeing success. So what exactly does success look like in reference to this particular campaign? Outside of the known industry targets discussed earlier, it is not entirely obvious. There are some hints however as the Vega Stealer malware allows, for instance, attackers to access browser data that includes passwords, credit card data, and cookies.

The data-gathering stage is often the first step of a larger cyberattack, so it would be prudent for IT professionals in marketing, advertising, public relations, retail, and manufacturing to watch their networks closely. I have discussed the issues of macro-based malware attacks and how easy one can fall prey to them. On the flip side, with a little education, these attacks can be mitigated. Vega Stealer is only as strong as IT divisions and individuals allow it to be.

Featured image: Flickr / Christiaan Colen

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Samsung Unpacked 2020: Galaxy S20, Galaxy Z Flip, and more

Samsung is again the first major company to roll out new smartphones in the new…

3 hours ago

PhotoSquared data leak exposes users’ photos, information

PhotoSquared has experienced a data leak, mainly because the popular U.S.-based photo app failed to…

6 hours ago

Moving data from an Azure VM to Storage Account with AzCopy

Here’s an elegant and modern way to move data from your Azure virtual machine to…

22 hours ago

A lot not to like: Analysis of recent Facebook data breach

The effects of the recent Facebook data breach are still being felt. In this new…

1 day ago

Exchange 2019: Building an environment from scratch

Are you finally ready to take the plunge into Exchange 2019? If you are building…

1 day ago

Cyber-extortion scheme targets Google AdSense users

A cyber-extortion scam targeting Google’s AdSense users is making waves. Here are the facts that…

2 days ago