Tuesday 15 May 2018

New Malware Designs To Grab Data From Google Chrome And Firefox Browser

New Malware Designs to Grab Data From Google Chrome And Firefox Browser

New Malware Designs To Grab Data From Google Chrome And Firefox Browser

The malware is written in .Net and it is a variant of August Stealer. Which locates and steals credentials of sensitive documents and other wallet details from an infected system. 

But this new Malware "Vega Stealer" is quite different including a new network communication protocol and functionality with browser stealing activity.

The security researchers from Proofpoint says that,
"The malware contains stealing functionality targeting saved credentials and credit cards in the Chrome and Firefox browsers, as well as stealing sensitive documents from infected computers."

How does Vega Stealer work?

Vega stealer attached with any documents via Email or direct for containing activities. The Malware designs as longer lasting impacts if further developed and distributed. Due to the distribution and lineage, this threat may continue to evolve and grow to be a commonly observed threat. The name 'Vega Stealer' was derived from a pdb string used within the binary


Vega Stealer is written in .NET and the sample we observed dropping in the wild did not contain any packing or obfuscation methods. One of the goals of Vega appears to be gathering and exfiltrating saved data from the Google Chrome browser, including:

  • Passwords (the “logins” SQLite table contains URLs and username and password pairs)
  • Saved credit cards (the “credit_cards” autofill table contains a name, expiration date, and card number)
  • Profiles (the “autofill_profile_names” table contains first, middle, and last name)
  • Cookies

For Mozilla browser, Vega collects the files from “\\Mozilla\\Firefox\\Profiles” folder, namely “key3.db" “key4.db", “logins.json", and “cookies.sqlite". These files store password and Keys.

Vega also could take a screenshot of victim machine. Vega stealer communicates with C&C server using the HTTP protocol. There are two parameters used in the C&C traffic, specifically in the client body of the request. 'f=' is the filename and 'c=' is the base64-encoded data portion of the request. The order of network communication with the C&C is a follows:

  • If found, send the “key3.db" “key4.db", “logins.json", and “cookies.sqlite" Mozilla Firefox files
  • Send the screenshot file “screenshot.png” (Desktop screenshot)
  • Send the “chrome_pw.txt” containing saved data stolen from Chrome; the “c=” parameter will be empty if none is found
  • Further network requests exist if Vega finds any documents matching the “doc|docx|txt|rtf|xls|xlsx|pdf” extensions.

How is it more dangerous?

Proofpoint researchers say that, we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan. However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID. As a result, we attribute this campaign to the same actor with medium confidence.

How can we protect?

Hackersonlineclub (HOC) team is always keeping you aware of the Malware activities.

  • Do not open any unknown attachment.
  • Always use Internet Security 
  • Keep your system update
  • Do not save your password in your browser.
  • Change your password time by time.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer