Malware Alert ! Vega stealer malware harvests saved credentials from browsers

Vega Stealer is the new malware that is spreading in the cyberworld, specifically designed to harvest financial data and saved credentials from chrome and Firefox browsers. Vega Stealer is categorised as a variant of August Stealer.Written in .NET, August Stealer locates and steals credentials, sensitive documents, and cryptocurrency wallet details from infected machines. While the new malware is only being utilized in simplistic “trials” and smaller phishing campaigns at the moment, researchers from Proofpoint say that Vega Stealer has the all potentials to become a common threat to businesses in the near future.


When the Firefox browser is in use, the malware harvests specific files — “key3.db” “key4.db”, “logins.json”, and “cookies.sqlite” — which store various passwords and keys. It can also scan the infected machine for files ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for exfiltration.

First discovery and Target audience
The macros when enabled downloads the malware

On May 8, 2018, the attack was observed and  a low-volume email campaign with subjects such as “Online store developer required.” was blocked by proofpoint. While some emails were sent to individuals, others were sent to distribution lists including “[email protected]”, “[email protected]”, and “[email protected]” at the targeted domains, an approach that has the effect of amplifying the number of potential victims. The messages contained a malicious attachment called “brief.doc” bearing macros that downloaded the Vega Stealer payload.

The narrow set of target audience for the malware campaign were Marketing, Advertising, Public Relations, Retail and Manufacturing industries.

How Vega Stealer is spreading

Vega Stealer is spreading via phishing e-mails with a subject line “Online store developer required.”

The mail contains an attachment called “brief.doc” in which the malicious macros is encrypted.

On running the macro, the Vega Stealer payload is deployed on the device in the Music directory by the name “ljoyoxu.pkzip.”

On deployment, the malware runs and extracts information stealthily.



Who is behind this attack

Proofpoint believes that the document macro and URLs involved in the campaign may point towards the same threat actor responsible for campaigns spreading financial malware. However, such attribution is made tentatively.

“The document macro utilized in this campaign is a commodity macro that we believe is for sale and used by multiple actors, including the threat actor spreading Emotet banking Trojan,” the researchers say.

“However, the URL patterns from which the macro retrieves the payload are the same as those used by an actor we are tracking who distributes the Ursnif banking Trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID. As a result, we attribute this campaign to the same actor with medium confidence.” – Proofpoint report.

Removal of malware

Though there are several methods floating around, there is still not a consolidated removal. Please watch this space for the provan removal of the malware.

Cybersecurity is one of the major areas that is going through tremendous improvements. With support of bots and artificial intelligence these threats could be comparably prevented in the near future.




Mukundan Govindaraj

VR/AR/MR Architect & Creative Director | Futurist Extensive experience in immersive technologies (augmented reality, virtual reality and mixed reality) and new markets, that are steadily changing the world around us, with a strong foundation in Unity game engine, web & mobile technologies and Computer-generated imagery(CGI) pipeline.

Leave a Reply

Notify of