FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file.
The PDF downloads a.NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer.
This malware is a Python-based information stealer compressed with cx-Freeze to evade detection.
MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions.
The attached malicious PDF file has a downloader link hidden in the stream object.
NET executable file shown in Figure 6, we found that it utilizes ScriptRunner.
The packed file and PowerShell configurations are within the resources section of the file, as illustrated in Figure 7.
The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar.
It defines text within the execution of the subsequent script to mitigate user suspicions.
Figure 10 illustrates the window and progress bar during the execution of the malware.
Tracing the initial call reveals that the execution file originates from cx Freeze tools.
This particular file encompasses the primary functions responsible for data theft.
The support channel for MrAnon Stealer is shown in Figure 18.
Upon investigation, we discovered analogous packed files utilizing cx Freeze from July.
The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November.
In this attack, the threat attacker sends phishing emails with fake room booking details, aiming at specific regions.
The malware downloads and extracts files from a specific domain to run a harmful Python script.
Users should be careful of phishing emails and unclear PDF files.
The FortiGuard CDR service can detect and disarm the malicious macros embedded in this email.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
This Cyber News was published on feeds.fortinet.com. Publication date: Thu, 07 Dec 2023 16:43:06 +0000