Vega Stealer malware targets credentials saved on Chrome and Firefox

Vega Stealer malware harvesting credentials from Chrome and Firefox web browsers

Vega Stealer malware has been detected stealing saved credentials from Google Chrome and Mozilla Firefox web browsers. Identified in the first half of May 2018 by Proofpoint,^[1] the malware is circulating on the Internet in the form of “Online store developer required” email messages that contain a brief.doc attachment. The Vega Stealer does not target home PC users. Instead, marketing/advertising, public relations and retail/manufacturing industries are being sought.

According to the researchers, the malware is written in .NET,^[2] meaning that it's quite easy for it to infect PCs and circulate on the Internet. It's purpose is not to lock files or otherwise damage the system. What it seeks is to grasp all sensitive information that is available on Google Chrome and Mozilla Firefox web browsers.

Vega Stealer virus seeks to obtain the most sensitive information, including saved passwords, credit card details, payment information, Bitcoin wallets, full name, address, etc. While Google Chrome is the primary source of information for the crooks, Mozilla Firefox is used to extort key3.db, key4.db, logins.json, and cookies.sqlite file types only. However, these files usually store valuable information as well.

We've seen similar campaigns previously

Vega Stealer malware is not a novelty. In 2016, cybersecurity researchers warned the community about an August Stealer,^[3] which is identical to the current malware regarding the name, but also modus operandi.

The malware has been promoted and sold on various underground forums as a tool for stealing passwords, cookies, Bitcoin wallets, saved connections, and even specific files. In comparison to Vega Stealer, August Stealer was more hazardous as it was capable of harvesting data from most of the web browsers, including Mozilla FireFox, Google Chrome, Mail.Ru, Torch, Amigo, Bromium, Chromium, U Browser, and many others. Besides, the malware could reach data on devices using FileZilla, SmartFTP, WinSCP, Mozilla Thunderbird FTP Clients, as well as Windows Live, Pidgin, and Psi IM Clients. Nevertheless, Vega Stealer malware seems to be a slightly improved version of the August Stealer.

Modus operandi of the Vega Stealer spyware

Proofpoint detected the malware infecting people via spam email messages that feature the following characteristics:
“Online store developer required” as a subject line;

• brief.doc attachment (some emails may contain letter.doc file attachments, which may download AugustStealer malware);
• the attachment requires enabling Macros;^[4] That's a catch used to execute the malware;
• the attachment contains JScript/PowerShell scrip;

If the potential victim falls for the trick, theVega Stealer payload is being executed. It drops a joyous.pkzip file in the Music directory. Then it automatically runs scripts via an elevated PowerShell and hijacks Google Chrome and Mozilla Firefox web browsers to obtain the following information:

• Passwords;
• Saved credit cards;
• Profiles;
• Cookies;
• Specific file types;

It can also check the Desktop of the targeted PC and scan files, including .doc, .docx, .txt, .rtf, .xls, .xlsx, and .pdf.

Prevention of malware infiltration

The prognosis for this virus is rather sad from the perspective of PC users. Experts claim that despite not being the somewhat extraordinary malware, Vega Stealer is a sophisticated piece of malware that has been developed by criminals who know much about malware development.

Currently, the malware is in the development phase and seems not to have affected many (if at all) devices. Anyway, we would like to stress the danger of your email inbox. Malspam campaigns^[5] are being initiated every day, so if you received a message from an unknown sender indicating questionable subject and urging to open the attachment, be wise and report such an email as spam.