A new malware variant lulls victims into a false sense of security with a decoy document while it works on stealing their passwords.
This as-of-yet-unnamed infostealer ends up on a user’s machine via VBScript, a scripting language developed by Microsoft. Malicious VBScript code downloads the payload from the compromised website dnoymuzik[.]com/wp-content/test/conhost[.]exe using a PowerShell command, an increasingly common delivery vector employed by malicious software. It then terminates the Microsoft Word process and removes Microsoft Word’s document recovery entries.
The malware also loads up a document that masquerades as a public service announcement published by Pennsylvania Department of Public Welfare. Ironically, this document lists “Spam E-mail Instructions” as its focal procedure.
Of course, this fake PSA is designed to convince users that all is well. In the meantime, the infostealer covertly activates its malicious functionality.
Tarun Dewan of Zscaler’s ThreatLabZ team provides an overview of this activity:
“Once the malware is executed, it performs various password stealing activities, such as checking for antivirus and looking into the directories and files from which it will steal information. The most interesting function of this malware is that it also behaves like a file stealer, as it checks for interesting strings in the system with enumeration of various files and folders and uploads to the malware’s C&C once it grabs the sensitive information.”
The digital threat is capable of stealing passwords from Armory Wallet, Chrome, CuteFTP, Electrum bitcoin wallet, FileZilla, Firefox, Putty, and WinSCP Passwords.
To protect themselves against this infostealer and others like it, users should refrain from saving their passwords in a web browser and should instead store them in a password manager application that’s installed on their computer. They should also consider disabling PowerShell on their machine and should always think twice before downloading files from unknown sources on the web.