Vega Stealer Malware Gathering Identifications from Web Browsers

May 17, 2018

A new variant of August Stealer – named Vega Stealer – is being distributed in small phishing campaigns targeting marketing, advertising, and PR firms and the retail and manufacturing industries. While the campaigns are highly targeted, the malware could potentially be used in much more widespread campaigns and become a major threat.
Vega Stealer doesn’t have the same range of skills as its predecessor, even though it does include many new characteristics that make it a substantial danger, as per safety scientists at Proofpoint.
The malware is being distributed via a standard phishing campaign involving Word document attachments with malicious macros that act as downloaders for the Vega Stealer payload in a two-step process, first downloading obfuscated Jscript/PowerShell script which in turn downloads Vega Stealer malware.
The electronic mails captured by Proofpoint had a document with the name ‘brief.doc’ with different subject lines utilized, including ‘Online Store Developer Needed.’
Some of the emails were directed at specific individuals, others were sent to distribution lists commonly used by businesses such as info@. The emails were sent in low volume with the targets apparently carefully selected. Proofpoint notes that another campaign was being conducted by the same threat actors using the August Stealer payload, with several of the same firms targeted the previous day.
Vega Stealer is written in .NET and seems to be mainly focused on stealing saved identifications from Chrome and Firefox, and is able of exfiltrating outline information, cookies, as well as passwords. The malware also takes a screenshot of the infected machine and carries out a search for generally used file kinds such as .doc/docx, .xls/xlsx, .txt, .rtf, and PDF files and exfiltrates those files together with the collected identifications.
The researchers note the document macro used to download the payload is currently used by multiple threat actors and is most likely for sale on darknet marketplaces, although URL patterns from the macro suggest this campaign is being conducted by a threat actor known to distribute the Emotet banking Trojan and various other banking Trojans.