Most of the pieces of malware designed to steal user credentials log keystrokes in order to collect the information. However, a new threat called PASSTEAL (TSPY_PASSTEAL.A) relies on a password recovery app to accomplish the task.
According to Trend Micro researchers, the malware collects the information stored in web browser by sniffing out accounts from different online services and applications. The sample analyzed by the security firm contains the PasswordFox app designed to work with Firefox.
“In effect, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS),” Alvin John Nieto, threat response engineer at Trend Micro,
explained.
“Some sites that use this connection includes Facebook, Twitter, Pinterest, Tumblr, Google, Yahoo, Microsoft, Amazon, EBay, Dropbox and online banking sites. PASSTEAL also doesn’t restrict itself to browser applications. Certain variants are designed to log information from applications such as Steam and JDownloader.”
After it extracts the valuable data, the malicious element executes a command to save all the information into a .xml file. Based on this .xml file, a text (.txt) file is also created.
Once all the information is gathered, the malware connects to a remote FTP server and uploads the files.
Read more: http://news.softpedia.com/news/Malware-Uses-Password-Recovery-App-to-Extract-Credentials-Stored-in-Browser-305103.shtml
