National Cyber Warfare Foundation (NCWF) Forums


MrAnon Stealer Attacking Windows Users Via Weaponized PDF Files


0 user ratings
2023-12-11 12:42:07
milo
Red Team (CNA)

 - archive -- 

Phishing emails targeting Windows users were discovered, tricking users into opening a malicious PDF file called “MrAnon Stealer” that spreads malware by using fake booking details. To obtain the final malware, the PowerShell script is executed by the PDF after it has downloaded a.NET executable file made with PowerGUI. Credentials, system data, browser sessions, and […]


The post MrAnon Stealer Attacking Windows Users Via Weaponized PDF Files appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Phishing emails targeting Windows users were discovered, tricking users into opening a malicious PDF file called “MrAnon Stealer” that spreads malware by using fake booking details.





To obtain the final malware, the PowerShell script is executed by the PDF after it has downloaded a.NET executable file made with PowerGUI.





Credentials, system data, browser sessions, and cryptocurrency extensions were all stolen by Mr. Alan Stealer.





Attack Flow of MrAnon





According to FortiGuard Labs, this malware is a Python-based information stealer that has been compressed with cx-Freeze to avoid detection.





The majority of queries to the downloader URL came from Germany, indicating that the country was the attack’s main target.





November 2023 had a notable increase in the number of inquiries for this URL, suggesting a more vigorous and active marketing during that month.





Attack Flow
Attack Flow




Posing as a company seeking to book hotel rooms, the attacker sends phishing emails with the subject line “December Room Availability Query.” The body includes fake hotel reservation information for the upcoming holidays. 





Phishing Email
Phishing Email




Researchers say a downloader link for the malicious PDF file is concealed in the stream object.





The malicious PDF file
The malicious PDF file




Researchers discovered that the malware employed the PowerShell script editor, which converts PowerShell scripts into Microsoft executable files, by looking through the strings in the class “Loader.”





“The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar. Additionally, it defines text within the execution of the subsequent script to mitigate user suspicions”, FortiGuard Labs shared in a report with Cyber Security News.





In this scenario, a window labeled “File Not Supported” appears along with a status message that reads, “Not Run: python.exe.” This misleading presentation aims to trick users into thinking that the malware hasn’t been effectively executed.





“The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves .NET executable files and PowerShell scripts,” researchers said.





MrAnon Stealer’s support channel offers more features, advertises the product, and has a page where users can buy all related tools.





MrAnon Stealer's telegram channel
MrAnon Stealer’s telegram channel




Data and sensitive information are stolen from many applications, compressed, and uploaded to the threat actor’s Telegram channel and a public file-sharing website. As a result, users are cautioned to avoid opening suspicious PDF files and phishing emails.


The post MrAnon Stealer Attacking Windows Users Via Weaponized PDF Files appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/mranon-stealer-attacking-windows/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.