Modified Hackhound PWS used for cyberespionage spearphishing

ISR Stealer leverages compromised websites to host access panels and targets companies that deal with machinery parts.
ISR Stealer leverages compromised websites to host access panels and targets companies that deal with machinery parts.

McAfee Labs researchers spotted a series of spearphishing attacks using a modified version of the Hackhound password stealer (PWS) for what they believe to be an industrial cyberespionage campaign.  

The PWS, dubbed ISR Stealer, leverages compromised websites to host access panels and also targets companies that deal with machinery parts, according to a July 21 blog post.

“One compromised website had more than 10 access panels receiving stolen passwords from the PWS,” the post said.

ISR Stealer targets Internet Explorer, Firefox, Chrome, Opera, Safari, Yahoo Messenger, MSN Messenger, Pidgin, FileZilla, Internet Download Manager, JDownloader, and Trillian and uses two executables, Mail PassView and WebBrowserPassView, to gather passwords stored on the machine, researchers said.

The malware is attached to emails with a “.z” extension which researchers said is likely done to trick popular ZIP file handlers into associating the file extension with its own programs to allow users to extract it, the post said. This method also bypasses some popular cloud email file restrictions.

Users are advised to block .z file extension at the gateway level to prevent this and other malware from using this technique in phishing campaigns, the post said.

The bad guys behind the attacks have been active since the beginning of 2016, with a break in activity during the Easter holiday, and the first sample was spotted in January. 

“It's always very surprising to see old malware being used in active campaigns,” McAfee Labs Malware Researchers Oliver Devane and Mohinder Gill told SCMagazine.com via emailed comments. “So many people focus on zero day threats but forget that a sophisticated phishing campaign can be built around a piece of malware that is over 5 years old." 

Devane and Gill also said it's also very interesting to note the industry that was being targeted by the attacks and that it could be an attempt to do something devious like putting malware into industrial control systems before they leave the factory.


You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS