CyberSecurityBoard
Sponsor Register Login

MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF

FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file.
The PDF downloads a.NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer.
This malware is a Python-based information stealer compressed with cx-Freeze to evade detection.
MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions.
The attached malicious PDF file has a downloader link hidden in the stream object.
NET executable file shown in Figure 6, we found that it utilizes ScriptRunner.
The packed file and PowerShell configurations are within the resources section of the file, as illustrated in Figure 7.
The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar.
It defines text within the execution of the subsequent script to mitigate user suspicions.
Figure 10 illustrates the window and progress bar during the execution of the malware.
Tracing the initial call reveals that the execution file originates from cx Freeze tools.
This particular file encompasses the primary functions responsible for data theft.
The support channel for MrAnon Stealer is shown in Figure 18.
Upon investigation, we discovered analogous packed files utilizing cx Freeze from July.
The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November.
In this attack, the threat attacker sends phishing emails with fake room booking details, aiming at specific regions.
The malware downloads and extracts files from a specific domain to run a harmful Python script.
Users should be careful of phishing emails and unclear PDF files.
The FortiGuard CDR service can detect and disarm the malicious macros embedded in this email.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.


This Cyber News was published on feeds.fortinet.com. Publication date: Thu, 07 Dec 2023 16:43:06 +0000


Cyber News related to MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF

MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF - FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off ...
6 months ago Cysecurity.news
MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF - FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a.NET executable file created with PowerGUI and then runs a PowerShell ...
7 months ago Feeds.fortinet.com
Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer - The 'How To' guide for targeting Booking.com customers is being offered for sale on the dark web, as well as on underground cybercrime forums, including Russian-speaking platforms such as XSS.IS. Cybersecurity firm Secureworks is alerting Booking.com ...
7 months ago Hackread.com
Booking.com Customers Scammed in Novel Social Engineering Campaign - Booking.com customers are being targeted by a novel social engineering campaign, which is "Paying serious dividends" for cybercriminals, according to new research by Secureworks. The researchers said the campaign, which they believe has been running ...
7 months ago Infosecurity-magazine.com
Booking.com customers targeted in hotel booking scam - Scammers are hijacking hotels' Booking.com accounts and using them as part of a hotel booking scam aimed at tricking guests into sharing their payment card information. Secureworks outlined an attack that occurred in October 2023, when a scammer ...
7 months ago Helpnetsecurity.com
Booking.com hackers increase attacks on customers - Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims. Cyber-criminals are offering up to $2,000 for login details of hotels as they continue to target the people who are ...
7 months ago Bbc.com
Cybercrims target hotel staff for management credentials The Register - Cybercriminals are preying on the inherent helpfulness of hotel staff during the sector's busy holiday season. Researchers at Sophos said the latest malware campaign targeting hotels involves sending emails that play on the emotions of staff, while ...
6 months ago Go.theregister.com
Global malspam targets hotels, spreading Redline and Vidar stealers - The latest global malspam campaign targets the hotel industry, emphasizing the need to stay alert against such attacks at all times. Cybersecurity researchers at Sophos X-Ops have issued a warning to the hospitality industry about a sophisticated ...
6 months ago Hackread.com
Fake Browser Updates Targeting Mac Systems With Infostealer - A widely popular social engineering campaign previously only targeting Windows systems has expanded and is now using fake browser updates to distribute Atomic Stealer, a dangerous information stealer, to macOS systems. Experts say this could be the ...
7 months ago Darkreading.com
'Ov3r Stealer' Malware Spreads Through Facebook to Steal Crates of Info - The malware by design exfiltrates specific types of data such as geolocation, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Office documents, and antivirus product information, according ...
4 months ago Darkreading.com
MrAnon Stealer Attacking Windows Via Weaponized PDF Files - To obtain the final malware, the PowerShell script is executed by the PDF after it has downloaded a.NET executable file made with PowerGUI. Credentials, system data, browser sessions, and cryptocurrency extensions were all stolen by Mr. Alan Stealer. ...
6 months ago Gbhackers.com
Email Security Trends And Predictions in 2024 - One of the most critical aspects of this broad topic is email security. Email security refers to the collective measures used to secure the access and content of an email account or service. An email service provider implements email security to ...
7 months ago Cybersecuritynews.com
Business Email Compromise Scams: Prevention and Response - We will also highlight red flags to watch out for in suspicious emails, emphasizing the importance of implementing robust email authentication methods and comprehensive employee training programs to enhance awareness and response capabilities. BEC ...
5 months ago Securityzap.com
RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool - A new version of the ScrubCrypt obfuscation tool is being used to target organizations with the RedLine Stealer malware, fraud sensor network Human Security has warned. Human's Satori Threat Intelligence Team said it has uncovered the new build of ...
7 months ago Infosecurity-magazine.com
Facebook ads push new Ov3r Stealer password-stealing malware - A new password-stealing malware named Ov3r Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. The fake job ads are for management positions and lead users to a Discord URL where a ...
5 months ago Bleepingcomputer.com
Deceptive Cracked Software Spreads Lumma Variant on YouTube - FortiGuard Labs recently discovered a threat group using YouTube channels to distribute a Lumma Stealer variant. These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and ...
5 months ago Feeds.fortinet.com
Essential Email and Internet Safety Tips for College Students - Your email is one of the most important digital assets and identities because it helps you create accounts on other platforms. Securing your email requires you to pay attention to your passwords, gadgets, and the links you engage with. The places you ...
5 months ago Securityboulevard.com
Hospitality Hackers Target Hotels' Booking.com Logins - Cyberattackers are hitting the digital road, looking to make some virtual stops at various hotels that contract with Booking.com to sell rooms. The idea is to phish the hotels' backend Booking.com logins, with the aim of taking over the accounts and ...
5 months ago Darkreading.com
Titan Stealer: A New Golang-Based Information Stealer Malware Emerges - A new Golang-based information stealer malware, dubbed Titan Stealer, is being advertised by threat actors through their Telegram channel. Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi first documented the malware in ...
1 year ago Thehackernews.com
ESET Threat Report: ChatGPT Name Abuses, Lumma Stealer Malware Increases, Android SpinOk SDK Spyware's Prevalence - Cybersecurity company ESET released its H2 2023 threat report, and we're highlighting three particularly interesting topics in it: the abuse of the ChatGPT name by cybercriminals, the rise of the Lumma Stealer malware and the Android SpinOk SDK ...
6 months ago Techrepublic.com
Week in review: Booking.com hotel booking scam, Kali Linux 2023.4 released - Advanced ransomware campaigns expose need for AI-powered cyber defenseIn this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI ...
6 months ago Helpnetsecurity.com
What is an email signature? - An email signature - or signature block or signature file - is the block of text that appears at the end of an email message that provides more information about the sender. This can include details such as the sender's full name, occupation or job ...
6 months ago Techtarget.com
DocuSign scam targeted more than 10,000 inboxes: report - Scammers used a malicious DocuSign document in a campaign that tried to steal credentials belonging to more than 10,000 people across several organizations. Researchers at cybersecurity company Armorblox said the brand impersonation campaign targeted ...
1 year ago Therecord.media
February 1, 2024: A Date All Email Senders Should Care About - For any organization sending bulk email or high email volumes to Google and Yahoo accounts, there's one date you should have flagged on your calendar. On February 1st, guidance indicates you'll need to pay attention if you are sending over 5000 ...
5 months ago Feedpress.me
New Rhadamanthys stealer version enhances features, evasion - The developers of the Rhadamanthys information-stealing malware have recently released two major versions to add improvements and enhancements across the board, including new stealing capabilities and enhanced evasion. Rhadamanthys is a C++ ...
6 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)