Submitted by CyberHub Summit on Tue, 06/19/2018 - 15:32
Vega Stealer
Vega Stealer

Marketeers, Public Relation Experts and Advertisers will be nervously shuffling their feet for a bit, whilst the Cyber Security professionals get to work on a new and potentially huge threat, Vega Stealer.

Recently uncovered by Proofpoint, Vega Stealer is the new sparkly malware found to be targeting the Retail, Manufacturing, Public relations and Advertising sectors.

[Cyberhub Summit is Coming back to Atlanta, Ga | October 9-10, 2018 - Cyber Security education for executives and business owners and Powerful Networking. | Get the latest from Cyberhub Summit by signing up for their newsletters. ]

Vega Stealer, a variation of August Stealer works by snatching identity details and credit card information stored in victims' Chrome and Firefox browsers.

Afterwards, like any other house breaker, Vega sniffs around to try to find anything else of value in the computers saved or sensitive documents.

Why is it so Dangerous?

Vega Stealer is a phishing scam, which targets the sellers not the buyers, unlike a 'Malvertising' campaign where cyber criminals deliver malware through online ads, Vega are doing it through emails, in low – volume email campaigns, it has so far had a limited effect.

Some emails were sent to individuals, others to larger distribution lists including "info@' and 'Publicaffairs@" which allowed the email to hit a slightly wider audience. The messages contained a malicious attachment called "brief.doc. holding macros that delivered the Vega Stealer payload.

Using Subject lines such as “Item return” and “Our company need online store from a scratch”, Vega has crept its way into systems via a pretty standardized phishing campaign. The victims, then click on the malicious macros in the document to enable Vega Stealer.

Once the victim enables the macros, Vega Stealer starts going to work on the system.

Phishing campaign? Low volume email list? What exactly is so worrying, you may ask?  Surely just don't click on the link, or authorize it if you click by mistake and everyone's happy?  Surely, a limited number of victims in a scam that has already been discovered means that the chance of it spreading is considerably lowered.

Not quite, the researchers at Proofpoint believe that this macro, now available for sale on the dark net is being applied to multiple and much more harmful conditions – for example through the Emotet Banking Trojan. 

Emotet, known for obtaining financial information by injecting code into the network of an infected computer looks suspiciously similar to Vega Stealer. Emotet has been encountered through malicious Javascript files, when the files are executed Emotet infects the host and once active, the Emotet file begins to compile data and stockpile sensitive data and access the victims accounts.

If the payload could be effectively delivered by a simple phishing scam, we could be in a world of trouble.

Proofpoint researchers stated “The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors. We attribute this campaign to the same actor with medium confidence.”

Although Proofpoint can only state it with 'medium confidence', we can state with full confidence that Vega Stealer should be putting more than just the Online Retail market on full alert.

From Financial Institutions to Governmental Departments, this Stealer spreading across the Dark Net and fast, has to be stopped in its tracks.