Cybercriminals are using Vega Stealer malware to target saved credentials and credit cards stored in Google Chrome and Firefox browsers and steal sensitive documents from infected computers, according to cybersecurity services provider Proofpoint.
Proofpoint observed and blocked a low-volume Vega Stealer email campaign last week. The campaign targeted companies in the following sectors:
- Public relations.
Vega Stealer email campaign messages contained malicious attachments, Proofpoint indicated. Each message included a macro that downloaded a Vega Stealer payload.
During a Vega Stealer attack, a macro retrieves a payload that is saved to a victim's computer in his or her "Music" directory, Proofpoint noted. After the Vega Stealer file is downloaded and saved, it is executed automatically on a victim's computer.
How Does Vega Stealer Impact Victims?
With Vega Stealer, cybercriminals can gather and exfiltrate a Chrome user's saved data, such as:
- Saved credit cards.
Furthermore, Vega Stealer enables cybercriminals to access Firefox files used to store various passwords and keys, Proofpoint said.
Vega Stealer represents flexible malware, according to Proofpoint. Going forward, Vega Stealer has the potential to evolve into a commonly used malware.
August Stealer: Here's What You Need to Know
Vega Stealer is a variant of August Stealer, malware that uses Word macros and PowerShell to steal credentials and sensitive documents from infected computers.
Proofpoint previously discovered an August email campaign used to send socially engineered emails with attached malicious documents. The email campaign targeted retailers and manufacturers with large business-to-consumer (B2C) sales operations.
August is obfuscated, according to Proofpoint. It uses a macro in its distribution campaigns that leverages evasion techniques and a fileless approach to load the malware onto a victim's computer via PowerShell.
In addition, August is difficult to detect both at the gateway and endpoint, Proofpoint noted. Organizations need email gateways with built-in sandbox evasion capabilities to identify August macros before they escalate. They also should provide cybersecurity education and training to limit the risk that malicious emails can infect employees' computers.