Cybersecurity researchers have uncovered a novel targeted malspam operation deploying password-stealing malware.
The campaign was discovered by Sophos X-Ops and described in an advisory published today.
According to the report, the attackers employed social engineering tactics, utilizing emailed complaints about service issues or requests for information to establish trust with their targets before sending malicious links.
The methodology mirrors a previously uncovered campaign leading up to the US federal tax filing deadline in April 2023.
Sophos researchers Andrew Brandt and Sean Gallagher explained that the attackers’ social engineering tactics covered a broad spectrum, ranging from complaints about alleged violent incidents or theft during a guest’s stay to requests for information on accommodating guests with specific needs.
Once the hotel responded to the initial inquiry, the threat actors sent follow-up messages containing purported documentation or evidence, which contained a malware payload hidden in a password-protected archive file.
The attackers shared the files from public cloud storage services, such as Google Drive, using passwords like “123456” to enable victims to open the archives.
Notably, the malware payloads were designed to evade detection. They are large files exceeding 600 MB in size, with most of the content being space-filler zeroes.
Additionally, the malware was signed with code-validation certificates, some of which are new, obtained during the campaign, while others appear fake.
The malware, identified as Redline Stealer or Vidar Stealer variants, connected to a Telegram channel for command-and-control purposes. It exfiltrated data, including desktop screenshots and browser information, without establishing persistence on the host machine.
Read more on this malware: RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool
Sophos X-Ops said they have retrieved over 50 unique samples from cloud storage linked to this campaign, and indicators of compromise have been published on their GitHub repository.
“We have also reported the malicious links to the various cloud storage providers hosting the malware,” reads the advisory. “Most of those samples displayed few-to-no detections in Virustotal.”