File Photo
Vega Stealer malware is at the heart of a new campaign designed to harvest saved financial data from Google Chrome and Firefox browsers.
While the new malware is only being utilized in simplistic and small phishing campaigns at the moment, researchers from Proofpoint say[1] that Vega Stealer has the potential to become a common threat to businesses in the future.
Vega Stealer is a variant of August Stealer[2]. Written in .NET, August Stealer locates and steals credentials, sensitive documents, and cryptocurrency wallet details from infected machines.
The new malware has a subset of the same functionality but has also been upgraded with an arsenal of expanded features, including a new network communication protocol and Firefox stealing functionality.
Vega Stealer is also written in .NET and focuses on the theft of saved credentials and payment information in Google Chrome. These credentials include passwords, saved credit cards, profiles, and cookies.
When the Firefox browser is in use, the malware harvests specific files -- "key3.db" "key4.db", "logins.json", and "cookies.sqlite" -- which store various passwords and keys.
However, Vega Stealer does not wrap up there. The malware also takes a screenshot of the infected machine and scans for any files on the system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.
According to the security researchers, the malware is currently being utilized to target businesses in marketing, advertising, public relations, retail, and manufacturing.
The phishing campaign designed to propagate the malware, however, is not sophisticated. Emails are sent with subject lines such as "Online store developer required," and while some are targeted and sent to individuals at a business, most messages are sent to distribution lists including "publicaffairs@" and "clientservice@".