This new phishing attack uses a sneaky infostealer to cause maximum damage
Security researchers have discovered a new info-theft malware campaign that steals an unusually large and diverse collection of files.
In his reportBarracuda noted that the infostealer is somewhat unusual in that it grabs more files than other infostealers. In addition to the normal browser information, cookies, saved passwords, credit card details, download history, and autofill information, the infostealer also attempts to collect all .PDF files found on Desktop, Downloads, Documents, and the Recent folder in %AppData% and %Temp%\Browser.
Finally, it also steals all browser extension folders related to cryptocurrencies, such as MetaMask, BNB Chain Wallet, Coinbase Wallet, and Ronin Wallet.
Unusual infostealer
Barracuda explained how the anonymous cybercriminals launched a phishing campaign that distributed an .ISO file posing as a purchase order.
All emails are sent from the same address – ‘yunkun[@]sadelbin[.]com’, claiming to be a corporate account. However, the company name and all contact information are fake.
If the victim still executes the attachment, they will see an HTA file — an HTML application that uses web technologies, but runs on the desktop instead of in a web browser. This allows the malware to bypass any security features built into the web browser, Barracuda added.
This HTA file downloads and executes an obfuscated JavaScript file, which in turn downloads and executes a PowerShell file. The PowerShell file ultimately downloads a .ZIP file containing the final payload, the infostealing Python script.
“The amount of information collected is extensive and sensitive,” the researchers explained. “The stolen stored passwords and cookies could help an attacker move laterally within the organization, while credit card details and bitcoin wallet information could be used to steal funds.”
As always, the best way to defend against phishing attacks is to be alert to incoming emails and be careful when downloading and opening attachments.