Article Details
Scrape Timestamp (UTC): 2023-12-12 09:57:35.873
Source: https://thehackernews.com/2023/12/new-mranon-stealer-targeting-german-it.html
Original Article Text
Click to Toggle View
New MrAnon Stealer Targeting German IT Professionals via Booking-Themed Scam. A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions." There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried. Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash. Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which is capable of gathering data from several applications and exfiltrating it to a public file-sharing website and the threat actor's Telegram channel. It's also capable of capturing information from instant messaging apps, VPN clients, and files matching a desired list of extensions. MrAnon Stealer is offered by the authors for $500 per month (or $750 for two months), alongside a crypter ($250 per month) and a stealthy loader ($250 per month). "The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November," Lin said. "This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers." The disclosure comes as the China-linked Mustang Panda is behind a spear-phishing email campaign targeting the Taiwanese government and diplomats with an aim to deploy SmugX, a new variant of the PlugX backdoor that was previously uncovered by Check Point in July 2023.
Daily Brief Summary
A sophisticated phishing campaign is utilizing booking-related PDFs to deliver MrAnon Stealer, an information-stealing malware, primarily targeting German IT professionals.
The MrAnon Stealer extracts sensitive data such as credentials, system information, browser sessions, and cryptocurrency wallet extensions.
Attackers engineered malicious PDFs to trick victims into downloading a faux Adobe Flash update, which triggers the malware infection chain utilizing .NET executables and PowerShell scripts.
The malware's capabilities include commandeering data from messaging apps, VPN clients, and specific file types, subsequently transmitting the stolen information to the attackers' Telegram channel and a public file share.
The attackers have commoditized MrAnon Stealer for $500 a month, with additional offerings such as a crypter and a loader to augment evasion tactics.
The shift from earlier Cstealer campaigns to MrAnon Stealer marks a strategic pivot in the use of Python-based stealers, continuing to leverage phishing as the predominant dissemination method.
The report also notes an unrelated cyber espionage operation by the Mustang Panda, a China-associated group, which is targeting Taiwanese officials with spear-phishing to deploy a new variant of the PlugX backdoor.