Malware writers target companies and public and private institutions by tricking employees into downloading a password stealer disguised as a confidential corporate document addressed to employees only.
The document in the form of a ZIP file is attached to an e-mail addressed to company employees under the confidentiality mark. The sender’s address is spoofed to make it look as if the mail is sent by DocuSign Electronic Signature Service, on behalf of the administrative department of the employer company.
Under the pretext of viewing or printing a confidential document, recipients in fact download a password stealer that snatches passwords of their e-mail client (TheBat, Thunderbird, Outlook, or IncrediMail) and website passwords – saved under popular browsers such as Chrome, Firefox, Opera or Internet Explorer – to send them to a remote attacker.
Using the remote desktop protocol (RDP), the Trojan attempts to log in into other machines by repeatedly trying out some weak but extremely frequent passwords, such as 123456, password, love, 123, password1, hello, monkey, 111111, iloveyou, online, and 123abc that are kept in a hard-coded list. People using stronger passwords are not vulnerable to these attempts.
The password stealer dubbed by Bitdefender as Trojan.Generic.KD.834485 also collects account information related to server names, port numbers, login IDs and FTP clients and cloud storage programs. All this data is posted on remote servers. Some variants may also download and execute further malware (including Zeus) on the compromised systems.
To stay safe from this type of scam, users are advised to keep their antivirus and other software updated, and be extra cautious with e-mails, especially if they include links and attachments. Plus, a strong password. Companies should also offer workers security trainings on a regular basis because, when an employee falls victim to an attack, the whole company is at risk.
This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.