A new malware called Vega Stealer is making the rounds via targeted email messages containing a compromised Microsoft Word file, and its aim is to steal credentials, passwords, and credit cards that are saved to Google Chrome and the Firefox browser. The malware is also capable of stealing files from targeted computers. The malware works through some malicious macros embedded in a .doc file, which means that opening it in Microsoft Word will activate it. The macros and their ill effects may also work on Linux computers if they’re opened in a document handler that supports macros such as OpenOffice or LibreOffice.
The way the macros work is a multi-step process. First, the document will load up a cache of junk data from the macro stash. That junk data is meant to make it harder to find the start of the payload process, which is a request to load some data from a command server. This pulls a JScript/Powershell object that has expanded permissions and nets the actual payload executable, saving it under the filename “ljoyoxu.pkzip” in the target computer’s Music folder. Once it’s on the host machine, it runs and extracts automatically. The payload pulls saved passwords and other information from Chrome, specific files containing that data from Firefox, and document or spreadsheet file types from given directories on the victim machine. This seems to be the only functionality as of this writing, but the malware could easily be expanded in future iterations.
This malware seems to be a closely related variant of August Stealer, but with a few changed functions. Interestingly enough, the macro that begins the process of pulling the payload has been seen in other malware in the past, almost down to the last line of code. This means that this particular component of the malware at hand was likely created by a third party and sold around the net to any hackers willing to pay for it. Naturally, this means that Vega Stealer is almost certainly not going to be the last malware to propagate in such a fashion, and probably not even the last malware of its particular kind.
