Skip to Content
Security & privacy

New malware targets browsers to steal credit cards and password information

Cybercriminals are constantly modifying the way malware is distributed. Phishing emails with malicious links are particularly a very popular technique for crooks since they’re easier to distribute.

This is when the scammer sends an email pretending to be from a legitimate organization in an attempt to trick you into clicking a malicious file. These types of attacks can be a very effective tool for fraudsters, especially in tricking the untrained eye.

But these types of attacks can be less successful the more people become aware of them, which is why it’s crucial that you know what to look for.

Read on and I’ll tell you about this new malware that’s making the rounds. If you’re not careful, it can steal your passwords, files and credit card details straight off your browser.

Meet the Vega Stealer

Security researchers from Proofpoint have discovered a new malware campaign that’s making its usual internet rounds lately. The campaign features a malicious program that’s designed to steal financial information from Google Chrome and Mozilla Firefox browsers.

At the moment, it is spread via small-scale phishing email campaigns but it has the potential to become a regular threat to individuals and businesses from now on.

Proofpoint calls the new malware Vega Stealer and it’s a variant of an older malware called August Stealer. Both share similar functionalities but Vega has been upgraded with Firefox compatibility and new network communication tools.

Similar to August Stealer, Vega Stealer is also written in .NET programming language but this time, it is designed to steal user credentials, cryptocurrency wallet details, cookies and credit card information saved in both Chrome and Firefox browsers.

It is also programmed to take screenshots of infected machines and scans for various sensitive confidential documents with.doc, .docx, .txt, .rtf, .xls, .xlsx and .pdf extensions.

Additionally, if a victim is using the Firefox browser, Vega Stealer will also collect specific database files that contain passwords and keys like key3.db, key4.db, logins.jason and cookies.sqlite.

What to look for

According to Proofpoint, the Vega Stealer campaign is targeting businesses in the marketing, advertising, public relations and retail/manufacturing sector.

The malware is being distributed via phishing emails with subject lines like “Online store developer required.”

While some of the emails are sent to specific targets, others were sent to common distribution lists of the target domains such as “info@,” “clientservice@,” and “publicaffairs@.”

The malicious email contains an attachment called “brief.doc,” which has nasty macros that will download Vega Stealer.

Install method

Vega Stealer is downloaded in two steps. First, the document runs a hidden PowerShell script that grabs the Vega Stealer installer from the attacker’s server.

The installer is then saved on the victim’s “Music” folder with the name “ljoyoxu.pkzip.” Once saved, Vega Stealer will automatically install (via command line) and start collecting information.

It is important to mention that the August Stealer phishing emails were sent to some of the same targets and the August Stealer macros came from the same IP address, suggesting that the two campaigns are related.

However, instead of “brief.doc,” the August Stealer campaign used a macro document called “engagement letter.doc” and subject lines like “Item return” and “Our company need online store from a scratch.”

Proofpoint stated that it’s still unknown if Vega Stealer is simply a modification of August Stealer for this particular campaign. It’s also possible that it will become another common malware strain that will be used in other campaigns.

Although Vega Stealer is not that advanced, its delivery system is similar to other larger threats and it has the potential to evolve into a more sophisticated data-stealing malware.

How to protect yourself from Vega Stealer

Be cautious with links

Do not follow unsolicited web links nor open attachments in email messages, it could be a phishing scam. Cybercriminals always try to fool you into clicking by using urgent sounding subject lines and attachments.

Be careful with macros

You should never download Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.

Have strong security software

Make sure you’re using strong antivirus software on all of your gadgets. And keep all your software up to date for the best protection. This is the best way to keep your device from being infected with malware.

Use unique passwords

Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen from one site and you use the same username and/or password on others, it’s easy for the cybercriminal to get into each account.

Set up two-factor authentication 

Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. This adds an extra layer of security and should be used whenever a site makes it available. Click here to learn how to set up two-factor authentication.

In other news, tools you’re using to secure emails have a flaw — what to use to send secure messages

Are you familiar with email encryption? You’re probably using it now without knowing it. In simple terms, it’s a system where your messages are scrambled so if someone manages to snoop on your email communications, all they’ll see is encrypted gibberish. However, security researchers have discovered a serious vulnerability that’s putting every email user at risk. App background

Check out the free App!

Get tech updates and breaking news on the go with the App, available in the Apple and Google Play app stores.

Get it today