PhishMe Intelligence™ has uncovered a phishing campaign that delivers a new loader/browser plugin combination that we have dubbed Vulture Stealer. Vulture Stealer is a two-stage data stealer that includes a version of Banload banking trojan malware. However, paired with an extensive secondary stealer it can target and gather information beyond Banload’s reach within Google Chrome—effectively gathering any information entered within the compromised Chrome browser. This campaign, which uses Portuguese-language phishing messages, may be targeting Brazilian banks and their customers. This is the first time PhishMe® has observed Banload coupled with a malicious browser extension.
The phishing email, intending to appear as a budgetary or invoice document, includes a malicious HTML document that then retrieves and downloads the loader component of Vulture Stealer. At runtime, this application appears to be an Adobe Acrobat PDF installer.
Figure 1 – The loader executable launches a fake PDF reader installation prompt
When a victim accepts the installation of the faux PDF reader, a .zip archive named with a .dat extension is downloaded and from which two executables are extracted and executed. The first executable deploys Banload, which is a ubiquitous malware known for targeting sign-in information for customers of Brazilian financial institutions but can steal other general information. The second executable includes a set of Google Chrome extension files that are placed in the appropriate directory.
A .lnk shortcut file is then dropped to the desktop and, once clicked, launches a Google Chrome browser with the malicious extension loaded and prepared to steal all data entered therein.
The .lnk activated Google Chrome Stealer is signed with a revoked certificate, meaning either the certificate was stolen and used to sign the file or it was registered to an entity controlled by the Threat Actor and later revoked by the certification authority.
Figure 2 – Suspicious signature information associated with malware
When loading the extensions, the malware disables security features that might inhibit the successful deployment of the Chrome stealer. The .lnk file launches Chrome with arguments set to disable extensions file access check, which sets the browser to always allow extensions that inject script into file URLs, and to always authorize plugins, which prevents Chrome from requiring authorization to run certain plugins.
Figure 3 – Harmful browser extensions can give attackers access to a wealth of private information
Upon installation, the malicious Chrome plugin listens for and forwards all HTTP POST and PUT requests made in the browser to a port on the local machine—at localhost, port number 5555— where a separate executable sits and listens on that port, then relaying that information to an external command and control host.
This is uncommon behavior. Most stealers transmit data directly to an external resource and do not deploy a separate executable to listen on a localhost port. The directing of information to localhost:5555 from the Google Chrome browser is documented in the figure below. This anomaly suggests the Vulture Stealer creator may lack sophistication; though alternatively, this may have been done to complicate the process for exfiltrating private information in a way that could increase the likelihood of evading detection.
Excerpts from the plugin’s code demonstrate how data sent during a sign-in transaction with a location redacted as the content of variable name 0x8987x3 is stored as byte data and then sent via WebSocket to a listening port 5555 on the local machine.
Figure 4 – Code excerpts demonstrate how a plugin can use a local listener to exfiltrate data
This Vulture Stealer provides an example of a unique interplay between otherwise simplistic components to create an elaborate and creative data exfiltration scheme. Malware authors constantly seek new and innovative ways to evade technical controls and successfully steal private information. Furthermore, often these techniques rely not on high-profile and closely-held exploitation, but instead on more simplistic avenues. When combined with the tried-and-true delivery scheme provided by phishing email, attackers can construct elaborate, effective, reliable, yet simple means for gaining access to protected environments.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
Phishing email subject:
Orçamento do pedido 197783 – 08/11/2017 16:22:11
Vulture Stealer binary:
Vulture Stealer exfiltration resource:
For more technical details, PhishMe Intelligence customers can reference our reporting in Threat ID 10297.
Mollie Holleman and Darrel Rendell contributed to this report.