Security News Vega Stealer Malware Takes Aim at Chrome, Firefox

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://threatpost.com/vega-stealer-malware-takes-aim-at-chrome-firefox/131924/
Vega Stealer Malware Takes Aim at Chrome, Firefox

A malware dubbed Vega Stealer has been uncovered, looking to make off with saved credentials and credit-card information in the Chrome and Firefox browsers. While it’s a simple payload for now, researchers said it has the ability to evolve into something more concerning in the future.

Proofpoint, which was first to observe the bad code making the rounds in the cyber-firmament, said the malware is a variant of August Stealer. It has a subset of the parent malware’s functionality as well as additional features.

In addition to stealing browser data, Vega shares the ability to exfiltrate Word, Excel, PDF and text files from an infected machine, just as August does (Proofpoint pointed out that August however does not have this hard-coded in the malware, but rather configurable in the C&C panel). Also, the Chrome browser stealing functionality in Vega is a subset of the August code; August also stole from other browsers and applications, such as Skype and Opera.

Vega’s new functionality includes new network communication protocol and expanded Firefox stealing functionality.
Click to expand...
 
  • Like
Reactions: harlan4096, HarborFront, upnorth and 1 other person
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Researchers at Proofpoint saw Vega being delivered via a low-volume email campaign, with subjects such as “Online store developer required,” spamming individuals as well as distribution lists. The messages contained a malicious attachment called “brief.doc,” with macros that download Vega. Interestingly, the observed campaign has fairly narrow targeting: It’s taking aim at the marketing, advertising and public relations sector, along with retail and manufacturing. Researchers said that the macros retrieve the payload in a two-step process: The document executes a request that retrieves an obfuscated JScript/PowerShell script. The execution of that script then creates a second request, which downloads the Vega Stealer payload to the user’s music directory. The malware is then executed automatically via the command line.

Vega is written in .NET, and the sample observed dropping in the wild does not contain any packing or obfuscation methods.
Click to expand...
 
  • Like
Reactions: LASER_oneXM and harlan4096
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
Technology AMD reduces driver support for Vega and Polaris graphics cards
Replies
0
Views
333
Technology News
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
    • Wow
New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets
Replies
2
Views
953
News Archive
Zero Knowledge
Z
silversurfer
    • Like
    • +Reputation
    • Wow
RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors
Replies
5
Views
1,281
News Archive
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top