Vega Stealer Malware Takes Aim at Chrome, Firefox

A malware dubbed Vega Stealer has been uncovered, looking to make off with saved credentials and credit-card information in the Chrome and Firefox browsers. While it’s a simple payload for now, researchers said it has the ability to evolve into something more concerning in the future.

Proofpoint, which was first to observe the bad code making the rounds in the cyber-firmament, said the malware is a variant of August Stealer. It has a subset of the parent malware’s functionality as well as additional features.

In addition to stealing browser data, Vega shares the ability to exfiltrate Word, Excel, PDF and text files from an infected machine, just as August does (Proofpoint pointed out that August however does not have this hard-coded in the malware, but rather configurable in the C&C panel). Also, the Chrome browser stealing functionality in Vega is a subset of the August code; August also stole from other browsers and applications, such as Skype and Opera.

Vega’s new functionality includes new network communication protocol and expanded Firefox stealing functionality.

Researchers at Proofpoint saw Vega being delivered via a low-volume email campaign, with subjects such as “Online store developer required,” spamming individuals as well as distribution lists. The messages contained a malicious attachment called “brief.doc,” with macros that download Vega.

Interestingly, the observed campaign has fairly narrow targeting: It’s taking aim at the marketing, advertising and public relations sector, along with retail and manufacturing.

Researchers said that the macros retrieve the payload in a two-step process: The document executes a request that retrieves an obfuscated JScript/PowerShell script. The execution of that script then creates a second request, which downloads the Vega Stealer payload to the user’s music directory. The malware is then executed automatically via the command line.

This macro approach is similar not just to August, but also other bad code, like the Ursnif banking trojan, according to Proofpoint. This points to a tentative attribution, researchers said.

“We believe this is a commodity macro that is for sale and used by multiple actors, including the threat actor spreading Emotet banking trojan,” researchers said, in an analysis posted on Thursday. “However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit or IcedID. As a result, we attribute this campaign to the same actor with medium confidence.”

Vega is written in .NET, and the sample observed dropping in the wild does not contain any packing or obfuscation methods – as such, it’s fairly stripped down. Proofpoint said that while Vega could be a special modification of August, created for this specific campaign, there are indications it could be used more widely in the future.

“While Vega Stealer is not the most complex or stealthy malware in circulation today, it demonstrates the flexibility of malware, authors and actors to achieve criminal objectives,” the firm’s researchers said. “Because the delivery mechanism is similar to more widely distributed and mature threats, Vega Stealer has the potential to evolve into a commonly found stealer.”

They added, “Vega Stealer…could have longer lasting impacts if further developed and distributed. Due to the distribution and lineage, this threat may continue to evolve and grow.”