Cybersecurity researchers at FortiGuard Labs have uncovered a cunning email phishing campaign targeting unsuspecting victims by leveraging deceptive hotel reservations.
The sophisticated phishing attack involves the deployment of a malicious PDF file, triggering a sequence of events culminating in the activation of the MrAnon Stealer malware.
MrAnon Stealer Thrives Within Malicious PDF Files
A new dangerous breed of malware dubbed "MrAnon Stealer" is said to be thriving in PDF links. It is disguised as a "fake" email about hotel reservations.
As first reported by Hackread, the attackers, rather than relying on intricate technical methods, cleverly masquerade as a hotel reservation company. They send phishing emails with the subject line "December Room Availability Query," containing fabricated holiday season booking details. Disguised within the malicious PDF file is a downloader link, initiating the phishing attack.
Upon analysis, FortiGuard Labs experts revealed a multi-stage process involving .NET executable files, PowerShell scripts, and deceptive Windows Form presentations. The attackers adeptly navigate through these stages, employing tactics like false error messages to conceal the successful execution of the MrAnon Stealer malware.
Related Article: Google Calendar Bug Creates Fake Events Based on Gmail Content
Stealthy MrAnon Stealer Operations
The MrAnon Stealer, operating on Python, executes discreetly, using cx-Freeze to compress its activities and evade detection mechanisms. Its meticulous process involves capturing screenshots, retrieving IP addresses, and extracting sensitive data from various applications.
The cybercriminals behind this malware spread terminate specific processes, mimicking legitimate connections to fetch IP addresses, country names, and country codes.
What's worse, the stolen data, encompassing credentials, system information, and browser sessions, undergoes compression, is secured with a password, and is then uploaded to a public file-sharing website.
MrAnon Stealer Can Gather Data From Various Sources
According to FortiGuard Labs, the MrAnon Stealer can harvest information from cryptocurrency wallets, browsers, and messaging apps, including Discord, Discord Canary, Element, Signal, and Telegram Desktop. Notably, it targets VPN clients like NordVPN, ProtonVPN, and OpenVPN Connect.
For command and control purposes, the attackers utilize a Telegram channel as a communication medium. The stolen data, along with system information and a download link, is transmitted to the attacker's Telegram channel using a bot token.
Strategic Evolution of the MrAnon Stealer Campaign
This malicious campaign, actively operational and aggressive in November 2023, primarily focused on Germany, evident from the surge in queries for the downloader URL during that period. The cybercriminals exhibit a strategic approach, transitioning from Cstealer in July and August to the more potent MrAnon Stealer in October and November.
With online vulnerabilities at an all-time high, users are strongly advised to exercise caution, especially when dealing with unexpected emails containing dubious attachments.
The keys to thwarting cybercriminal attempts lie in cautiousness and common sense, essential in safeguarding against the exploitation of human vulnerabilities and ensuring online security.
Aside from phishing scams involving fake hotel reservations, another form of scam dubbed "OpenTable" is targeting customers who book restaurant reservations.
Since the person will no longer go physically to the place, the hackers will take advantage of the situation by luring them to click links through an app.
Read Also: Lazarus Group Still Exploits Log4Shell: What Are Andariel's Recent Cyberattacks?
