An active threat customizes droppers to infect machines and steal credentials and other data from browsers. Researchers warn hackers are putting a new spin on old injection techniques and successfully end-running endpoint protection. They are tracking a campaign, that kicked off in January, that is still going strong exploiting weaknesses in web browsers. The objective is to hide in the background of infected systems in order to steal user passwords, track online habits and hijack personal information.
The hackers use custom droppers, which inject the final malware into common processes on the machines. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers. Hackers are using injection techniques that have been used for many years, but with new, custom capabilities that are making them difficult for anti-virus protections to detect.
The first stage is typically from an email with a malicious attachment that is actually an ARJ archive technology from the 1990s used by software pirates to convert files into archives. Instead of splitting into multiple files, however, hackers in the recent dropper campaigns attach a single executable file to the attachment. Hackers are using this old archive format because they hope to bypass weak email security gateways.
If the file is opened, it goes through several more processes to elude detection, including decryption just before runtime, and never on the hard drive. In this way, it can inject a dropper onto a victim's machine, such as AgentTesla, that is capable of stealing credentials from most browsers, email clients, SSH/SFTP/FTP clients and other software.
This attack is more evidence of how hackers are crafting modern malware to fly under the radar and avoid detection by current AV and basic security protections. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user’s online privacy.