Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Ancient Hackhound Password Stealer Used in Industrial Espionage Campaign

Petrovic

By Petrovic
in Security & Privacy News

Recommended Posts

Petrovic

Petrovic

Posted
Posted

Security researchers from McAfee have come across a compromised Web server meant to host C&C servers for different password stealers, which were used to target several companies as part of an industrial espionage campaign.

 

The mistake that allowed researchers to put all clues together was the crook's lack of attention to detail since they forgot to delete the C&C server's ZIP installation package from one of the compromised Web servers used to host several C&C servers.

 

By looking at the files in this ZIP file and the C&C server source code, McAfee researchers quickly identified the server-side component of the ISR Stealer, a modified version of the Hackhound infostealer, which, in turn, was an ancient piece of malware first spotted in 2009.

 

Crooks targeted companies that handled machinery parts
Researchers discovered that crooks used the IRS Stealer malware builder to create a password stealer capable of stealing login credentials from applications such as Internet Explorer, Firefox, Google Chrome, Opera, Safari, Yahoo Messenger, MSN Messenger, Pidgin, FileZilla, Internet Download Manager, JDownloader, and Trillian.

Crooks were spreading this custom password stealer as RAR or Z files sent via spear-phishing emails to various companies that deal with machinery parts.

These RAR and Z files contained executables that would load the password-stealing malware. If victims download the RAR/Z files and execute the EXE file found inside, the malware would collect all available passwords and would submit the data to the C&C server as an HTTP request.

 

Campaign started back in January 2016
The IRS Stealer server-side component accepted the submitted data only if the user agent string was "HardCore Software For : Public," specific to its client-side component. The data would then be saved to a local INI file.

 

Looking back at historical data, McAfee researchers discovered that this campaign had actually started back in January 2016 and that the crooks had compromised various websites where they hosted their C&C servers.

 

On one of these compromised websites, researchers discovered over ten C&C servers that were receiving data from different victims, showing that criminals weren't targeting just one company, but an entire class of firms that operated in one specific activity sector.

Article source

Link to comment
Share on other sites
  • Views 473
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...