A new malware strain is targeting popular browsers and programs such as Microsoft Word.
The “Vega Stealer” malware can steal credit card data and passwords stored in Chrome and Firefox and snatch sensitive data from infected computers, according to Proofpoint, a cybersecurity company based in Sunnyvale, Calif.
The malware currently targets marketing, advertising, public relations, retail and manufacturing industries but “this threat may continue to evolve and grow to be a commonly observed threat,” Proofpoint said on its website.
These kinds of precisely-targeted corporate threats can signal more trouble to come. “Corporate credential theft often allows threat actors to establish a beachhead for further penetration into corporate networks and systems,” Proofpoint told Fox News in an email.
Proofpoint first spotted Vega Stealer earlier this month when it observed a “low-volume” email campaign with subject lines such as “Online store developer required.” Some of the malicious emails went to individuals while other emails went to common distribution lists used at many companies such as info@. “An approach that has the effect of amplifying the number of potential victims,” the company said.
Messages contain a malicious attachment called “brief.doc.” Software – known as a “macro” – downloads the Vega Stealer malware. These macros can fool the user into clicking on buttons in programs such as Microsoft Word that “enable” the macro and download the malware. For example, a macro in Microsoft Word might say “Enable editing” or “Enable content.”
The macro retrieves the payload in a two-step process which ultimately saves it to the victim’s computer in the "Music" directory with a filename of “ljoyoxu.pkzip.” Once this file is downloaded and saved, it is executed automatically, Proofpoint said.
Vega Stealer linked to other malware
This malware appears to be related to an earlier malware “campaign,” according to Proofpoint.
Days before it spotted Vega Stealer, Proofpoint observed macro documents such as “engagement letter.doc” downloading a known malware called “August Stealer.” Proofpoint believes this is a related “strain” because “documents were sent to some of the same targets and macros downloaded the stealer from the same IP address.”
The malicious macro is “for sale” and is used by bad actors pushing the malware, Proofpoint said. While the source of the malware is not certain, evidence points to an “actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary [malicious] payloads such as Nymaim, Gootkit, or IcedID. As a result, we attribute this campaign to the same actor with medium confidence,” the company added.
"Enterprises are very frequently targeted with malware that has credential stealing capabilities built in,” Kowsik Guruswamy, Chief Technology Officer with Menlo Security, told Fox News in an email.
Guruswamy continued: “We've observed other powerful credential stealers like Formbook and Emotet used in limited attacks against enterprises. The attacks we observed were not wide spread and were limited and sent to only a few people in an organization, which leads us to believe that the attackers are only interested in some targeted data."