Researchers have come across a new ransomware variant named Vega Stealer that is taking special aim at those in the marketing, advertising, public relations and retail/manufacturing industries.
The malware, a variant of August Stealer, is an information stealer able to swipe credentials and credit card information stored in the Chrome and Firefox browsers along with documents from the infected computers, Proofpoint researchers reported.
Vega was first spotted when a low-volume email campaign was detected by Proofpoint in early May using subject lines that contained “Item return” and “Our company need online store from a scratch.” The campaign was aimed at individuals and lists of people, but all were included in the same group of targets and in each case the phishing email contained a document with malicious macros that the victim had to enable.
Once enabled a two-step download process is initiated.
“The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer,” the report said.
The malware, which is written in .net and not obfuscated in any way, is saved in the computers music directory under the name ljoyoxu.pkzip. Once this is accomplished it executes.
Vega's primary activity is pulling from Chrome passwords (the “logins” SQLite table contains URLs and username and password pairs), saved credit cards (the “credit_cards” autofill table contains name, expiration date, and card number) and profiles (the “autofill_profile_names” table contains first, middle, and last name) and finally cookies, Proofpoint said.
From Firefox Vega pulls files from MozillaFirefoxProfiles” folder, namely “key3.db" “key4.db", “logins.json", and “cookies.sqlite". These store passwords and keys.
To pull information from the computer the malware searches for and removes to its command and control server files ending in .doc, .docx, .txt, .rtf, .xls, .xlsx .and pdf.
A screenshot of the device is also taken.
While Proofpoint could not attribute Vega Stealer to any specific group, it was able to associate this malware with other types now being used. The malicious macro itself is available for sale on the dark web and is used by the threat actors pushing the Emotet banking Trojan. Meanwhile, the URL patterns from which the macro retrieves the payload are the same as those used by an actor who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID,” the researchers said.
Proofpoint is taking a wait and see approach concerning whether or not it will grow in popularity, but researchers said the potential is there in this malware to evolve into a more commonly found stealer.