Updated Malware Strain Targets Saved Credentials and Payment Info in Firefox and Chrome

It doesn’t matter which browser you use to get on the internet, there’s always going to be threat actors trying to get at your personal information. One of the most recent attempts was spotted by researchers with cybersecurity firm Proofpoint on May 8, 2018. The malware, named Vega Stealer infects an endpoint through a phishing attack. Once on a machine, it will begin stealing saved credential and credit card information stored in Firefox and Chrome browsers, along with sensitive documents from the infected system.

Trojan horse entering door on laptop computer

adventtr / iStock / Getty Images Plus / Getty Images

The researchers observed and prevented a targeted, but low-volume phishing campaign directed at the marketing, advertising, public relations, retail, and manufacturing industries. The e-mails were directed at both individuals and distribution lists such as “’info@, ‘clientservice@,’ and ‘publicaffairs@,’” which could dramatically increase the number of eyeballs viewing them.

The e-mails sent by the threat actors had subject lines such as “Online store developer required,” and all contained a malicious file titled ‘brief.doc.’ Like many other phishing attacks, the malware would download when the victim opens the file which triggers an embedded macro.

Proofpoint researchers note that the campaign is based around “a commodity macro” that they believe “is for sale and used by multiple actors, including the threat actor spreading Emotet banking trojan.” In this instance however, the uniform resource locator (url) points to a command and control server believed to be operated by the same threat actors (TA530) involved in distributing the Ursnif banking Trojan.

Since this macro appears to have been developed by a cybercrime-as-a-service group, we should expect that it will evolve to get around newer cybersecurity measures. Right now, the best defenses remain the same: Train employees to remain vigilant when dealing with e-mail, and to keep macros disabled.