Vega Stealer malware is at the heart of a new campaign designed to harvest saved financial data from Google Chrome and Firefox browsers.
While the new malware is only being utilized in simplistic and small phishing campaigns at the moment, researchers from Proofpoint say that Vega Stealer has the potential to become a common threat to businesses in the future.
Vega Stealer is a variant of August Stealer. Written in .NET, August Stealer locates and steals credentials, sensitive documents, and cryptocurrency wallet details from infected machines.
The new malware has a subset of the same functionality but has also been upgraded with an arsenal of expanded features, including a new network communication protocol and Firefox stealing functionality.
Vega Stealer is also written in .NET and focuses on the theft of saved credentials and payment information in Google Chrome. These credentials include passwords, saved credit cards, profiles, and cookies.
When the Firefox browser is in use, the malware harvests specific files — “key3.db” “key4.db”, “logins.json”, and “cookies.sqlite” — which store various passwords and keys.
However, Vega Stealer does not wrap up there. The malware also takes a screenshot of the infected machine and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
According to the security researchers, the malware is currently being utilized to target businesses in marketing, advertising, public relations, retail, and manufacturing.
The phishing campaign designed to propagate the malware, however, is not sophisticated. Emails are sent with subject lines such as “Online store developer required,” and while some are targeted and sent to individuals at a business, most messages are sent to distribution lists including “publicaffairs@” and “clientservice@”.
The email contains an attachment called “brief.doc” in which malicious macros download the Vega Stealer payload.
The payload is retrieved in two steps. The document first downloads an obfuscated JScript/PowerShell script which, once executed, creates a second request that pulls the executable payload of Vega Stealer from the threat actor’s command-and-control (C&C) center.
This payload is then saved in the victim’s “Music” directory with the name “ljoyoxu.pkzip.” Once the executable is in place, Vega Stealer automatically executes via the command line in order to begin harvesting information.
Proofpoint believes that the document macro and URLs involved in the campaign may point towards the same threat actor responsible for campaigns spreading financial malware. However, such attribution is made tentatively.
“The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan,” the researchers say. “However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID. As a result, we attribute this campaign to the same actor with medium confidence.”
Proofpoint says that it remains to be seen whether or not Vega Stealer is simply a tweaked version of August Stealer developed for this specific campaign. However, the team does believe that due to the sophisticated delivery mechanism, Vega Stealer has the potential to evolve into a common threat.