A sophisticated phishing attack has been discovered by threat analysts, featuring a stealthy infostealer malware that exfiltrates a wide range of sensitive data. This new malware not only targets traditional data types like saved passwords but also includes session cookies, credit card information, Bitcoin-related extensions, and browsing history.
The collected data is then sent as a zipped attachment to a remote email account, showcasing a significant advancement in infostealer capabilities. The attack methodology begins with a phishing email that prompts recipients to open an attached purchase order file. These emails, often containing grammatical errors, originate from fake addresses. The attachment contains an ISO disc image file, which houses an HTA (HTML Application) file enabling the execution of applications on the desktop without browser security restrictions.
Upon executing the HTA file, a series of malicious payloads are activated. This sequence involves the download and execution of an obfuscated JavaScript file from a remote server, triggering a PowerShell file that retrieves a ZIP file containing a Python-based infostealer malware. The malware operates briefly to collect data and then deletes all files, including itself, to evade detection.
The infostealer malware is designed to gather comprehensive browser information and files. It extracts MasterKeys from browsers like Chrome, Edge, Yandex, and Brave, capturing session cookies, saved passwords, credit card details, and browser histories. Additionally, the malware targets data from Bitcoin-related browser extensions such as MetaMask and Coinbase Wallet, as well as PDF files and directories including Desktop, Downloads, Documents, and specific %AppData% folders. The stolen data is then sent to various email addresses at the domain maternamedical.top, each designated for specific types of information.
This attack represents a new era in data exfiltration threats, with the malware’s extensive data collection capabilities posing significant risks. According to Barracuda, this sophisticated infostealer poses severe threats as cybercriminals continue to develop advanced methods to steal critical information. Businesses are advised to implement robust security protocols, continuously monitor for suspicious activities, and educate employees on potential threats. Utilizing multi-layered email protection solutions with AI and machine learning can help detect and block phishing attempts before they reach user inboxes.
In conclusion, staying vigilant and proactive in cybersecurity efforts is crucial as cyber threats evolve and become more sophisticated. By implementing strong security measures and educating employees, businesses can mitigate the risks posed by such advanced phishing attacks.