New Vega Stealer malware used Microsoft Word as an attack vector
Recently, cybersecurity firm Proofpoint observed a spear phishing campaign targeting marketing, advertising, public relations, and retail and manufacturing industries. The attacker’s goal was to spread a new type of malware called “Vega Stealer.”
As one of the features of this malware, it can steal victim login credentials and credit card vouchers from Chrome and Firefox browsers. In addition to its ability to steal credentials, it can also steal sensitive documents from infected computers.
Vega Stealer is considered to be a variant of the malware August Stealer. It includes some of the latter’s features, but it also adds some important new features. Originally discovered in December 2016, August Stealer was able to steal passwords stored in Skype, Opera, Chrome, and Firefox browsers as well as steal sensitive documents and other sensitive data from infected computers.
Proofpoint said that they discovered and blocked a small batch of malicious email distribution activities on Tuesday (May 8th), including topics such as “Need Online Store Developers”. The email contains a malicious attachment called “brief.doc”, which embeds malicious macros for spreading Vega Stealer.
It is worth noting that on the previous day (May 7th), Proofpoint found similar e-mail topics in another event. A malicious attachment named “engagement letter.doc” will download the previously mentioned August Stealer malware from the same IP address, which makes the two activities related to each other.
Let’s return to the analysis of the Vega Stealer malware. Once it infects the target computer, it will begin to steal data and search for a variety of different formats, including .doc, .docx, .txt, .rtf, .xls, and so on. Xlsx and .pdf. After that, these stolen data will be sent to the remote command and control (C&C) server.
Vega Stealer, like August Stealer, is written in .NET. But it seems to be just a lite version of the latter because it is not able to steal data from Skype and Opera browsers, but it has the ability to steal data from the new Firefox browser.
Proofpoint’s researchers also emphasized that the malicious macro used in this event was a commodity macro that he had used in various attacks by different cybercriminal groups, including a group that spread Emotet Bank Trojans.
Although Vega Stealer is not considered to be the most sophisticated or secretive malware currently popular, it demonstrates the flexibility of malware, developers, and operators to commit crimes. Because the propagation mechanism (based on phishing emails and the use of Word documents) is relatively mature, it may evolve as a popular data theft tool for cybercriminals.
For general computer users, our usual advice is still to use relatively complex passwords and to use at least one trusted anti-virus software. And the most important thing is not to open any e-mails from unknown sources, let alone click on links and attachments.