Researchers have discovered a malware called Vega Stealer that is said to have been designed to harvest financial data from the saved credentials of Google Chrome and Mozilla Firefox browsers. The malware is another variant of August Stealer crypto-malware that steals credentials, sensitive documents, cryptocurrency wallets, and other details stored in the two browsers. As of now, the Vega Stealer is only being used in small phishing campaigns, but researchers believe that the malware can potentially result in major organisational level attacks.
According to researchers from Proofpoint, a campaign was found to be targeting Marketing/ Advertising/ Public Relations, and Retail/ Manufacturing industries with a new malware. On May 8 this year, the researchers observed and blocked a low-volume email campaign with subjects such as ‘Online store developer required’. The email contains an attachment called ‘brief.doc’, which contains malicious macros that download the Vega Stealer payload. They said that while some emails were sent to individuals, others were sent to distribution lists including ‘info@’, ‘clientservice@’, and ‘publicaffairs@’ at the targeted domains. It is an approach that has the effect of amplifying the number of potential victims.
The Vega Stealer ransomware allegedly takes special aim at those in the marketing, advertising, public relations, and retail/ manufacturing industries. Once the document is downloaded and opened, a two-step download process is initiated. “The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer,” the report said. It added, “The payload is saved to the victim machine in the user’s “Music” directory with a filename of ‘ljoyoxu.pkzip’. Once this file is downloaded and saved, it is executed automatically via the command line.”
Vega Stealer is written in .NET and aims to steal saved credentials such as passwords, saved credit cards, profiles, and cookies, and payment information in Google Chrome. And, in the Firefox browser, the malware harvests specific files – ‘key3.db,’ ‘key4.db,’ ‘logins.json,’ and ‘cookies.sqlite’ – which store different passwords and keys.
Vega Stealer keeps on working, and takes a screenshot of the infected PC and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
The researchers claim that the document macro and URLs involved in the campaign suggest that the same threat actor responsible for campaigns spreading financial malware. They could not attribute Vega Stealer to any specific group, it was able to associate this malware with other types now being used. They said that the malicious macro is available for sale and threat actors are using it by pushing the Emotet banking trojan. Meanwhile, the URL patterns from which the macro retrieves the payload are the same as those used by an actor who distributes the Ursnif banking trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID, the researchers said.
While Vega Stealer is not the most complex malware in circulation today, it does demonstrate the flexibility of malware, authors, and actors to achieve criminal objectives.
In order to be safe, Ankush Johar, Director at Infosec Ventures, said in a press statement, “Organisations should take cyber awareness seriously and make sure that they train their consumers and employees with what malicious hackers can do and how to stay safe from these attacks. One compromised system is sufficient to jeopardize the security of the entire network connected with that system.”