Vega Stealer

The Vega Stealer is a spyware program that collects information from the Firefox and Chrome Web browsers. Its developers are circulating it via spam e-mails and may be targeting specific business entities, documents, and information, such as website developers and marketers. Due to an overall absence of symptoms related to an infection, users should protect their PCs and data by having an anti-malware product find and remove the Vega Stealer automatically.

The Confidentiality-Compromising Possibilities of a Single Document

A small but highly-targeted series of attempts at installing spyware is active throughout various sectors of the business world, including advertising, public relations departments, manufacturing, and retail. The payload meant for delivery, the Vega Stealer, uses popular browsers as sources of information for collection and, like most forms of spyware, exhibits limited symptoms that would give the victim any detectable warnings. Malware experts also are confirming some non-browser functions in the Vega Stealer that solidify it as an equally applicable danger to PCs not in use for Web-surfing activities.

E-mail messages carrying the Vega Stealer's Trojan dropper may arrive in the inboxes of specific employees at targeted companies or general departments (such as a public affairs address). The attached Word documents, disguising themselves as non-threatening content, include an exploit that malware experts note as being for sale within the Black Hat industry. It generates a PowerShell script that downloads the spyware, the Vega Stealer, which saves itself to the Music folder with a PKZIP format.

The Vega Stealer uses the .NET Framework and includes several features for collecting and transferring or exfiltrating data from an infected Windows system. These functions are, as follows:

• The Vega Stealer takes information from Chrome and Firefox, including cookies, profile data, login credentials and credit card numbers.
• The Vega Stealer searches all drives for any files ending in text document-related strings, such as 'DOC,' 'PDF,' or 'TXT,' and uploads them to the threat actor's C&C server.
• While malware researchers also find the Vega Stealer capable of capturing visual data via screenshots, they have yet to confirm whether the spyware takes them as a one-time-only part of its initial setup routine or does so at regular intervals, or via triggers (such as the user's visiting a bank's website).

Stopping an Eternal August in Your Inbox

The Vega Stealer is significant for the strong resemblance its code bears to a previous form of spyware, the August Stealer that exhibits similar attacks. While some of the Vega Stealer's features are hard-coded, making it less flexible than its likely ancestor, it remains highly functional and efficient at collecting data from business and government entities, as well as recreational users. Malware experts are associating no high-visibility symptoms with the Vega Stealer infections.

Although the Vega Stealer's Trojan dropper uses obfuscation for hiding its identity, updated cyber-security software should remain capable of blocking this downloading exploit before the spyware's installation succeeds. Most anti-malware programs also may delete the Vega Stealer, although any lost information remains at risk of misuse by unlawful entities. In particular, victims should consider changing passwords and related login credentials for preventing any further attempts at subverting the security of their PCs and associated networks.

The Vega Stealer campaign may have a relationship to other threats, such as the old Win32/Spy.Ursnif of 2012, or the file-locking Trojan, Nymaim Ransomware. Since clicking a document rashly is the start of a story with numerous, sad endings, all PC users should consider the source before reading something new.