A new sophisticated phishing attack featuring a stealthy infostealer malware that exfiltrates a wide range of sensitive data has been uncovered by threat analysts.
This malware not only targets traditional data types like saved passwords but also includes session cookies, credit card information, Bitcoin-related extensions and browsing history.
The collected data is then sent as a zipped attachment to a remote email account, highlighting a significant shift in infostealer capabilities.
Attack Methodology
According to an advisory published by Barracuda Networks, the attack begins with a phishing email that entices recipients to open an attached purchase order file.
These emails, characterized by grammatical errors, appear from a fake address. The attachment contains an ISO disc image file, a precise replica of data from optical discs like CDs or DVDs. Embedded within this image file is an HTA (HTML Application) file, which enables the execution of applications on the desktop without the security limitations of a browser.
Upon executing the HTA file, a sequence of malicious payloads is activated. This sequence starts with the download and execution of an obfuscated JavaScript file from a remote server, which then triggers a PowerShell file that retrieves a ZIP file from the same server.
The ZIP file contains a Python-based infostealer malware.
This malware briefly operates to collect data and then deletes all files, including itself, to avoid detection.
Malware Capabilities and Data Exfiltration
The infostealer is engineered to collect comprehensive browser information and files.
It extracts MasterKeys from browsers such as Chrome, Edge, Yandex and Brave, and captures session cookies, saved passwords, credit card information and browser histories. Additionally, the malware copies data from Bitcoin-related browser extensions, including MetaMask and Coinbase Wallet.
The malware targets PDF files and zips entire directories, including those in the Desktop, Downloads, Documents and specific %AppData% folders. The stolen data is then emailed to various addresses at the domain maternamedical.top, each designated for specific types of information like cookies, PDF files and browser extensions.
Read more on cybersecurity threats to businesses: Supply Chains Remain Hidden Threat to Business
Implications for Cybersecurity
According to Barracuda, this attack represents a new frontier in data exfiltration threats, with the malware’s wide range of data collection capabilities posing severe risks.
“Most phishing attacks are associated with data theft, but here we are looking at an attack designed for extensive data exfiltration executed by a sophisticated infostealer,” said Saravanan Mohan, manager of threat analyst at Barracuda.
“The amount and range of sensitive information that can be taken is extensive. Some can potentially be leveraged in further malicious activity, such as lateral movement or financial fraud. As cyber-criminals continue to develop sophisticated methods to steal critical information, it’s important for businesses to stay vigilant and proactive in their cybersecurity efforts.”
Key strategies recommended by the firm include implementing robust security protocols, continuous monitoring for suspicious activities and employee education on potential threats.
Multi-layered email protection solutions utilizing AI and machine learning are also helpful in detecting and blocking such phishing attempts before they reach user inboxes.