New Windows Trojan Steals Browser Credentials, Outlook Files

 Windows Trojan Browser Credentials Outlook

The newly discovered Python-based malware family targets the Outlook processes, and browser credentials, of Microsoft Windows victims.

Researchers have discovered a new information-stealing trojan, which targets Microsoft Windows systems with an onslaught of data-exfiltration capabilities– from collecting browser credentials to targeting Outlook files.

The trojan, called PyMicropsia (due to it being built with Python) has been developed by threat group AridViper, researchers said, which is known for targeting organizations in the Middle East.

“AridViper is an active threat group that continues developing new tools as part of their arsenal,” researchers with Palo Alto’s Unit42 research team said in a Monday analysis. “Also, based on different aspects of PyMicropsia that we analyzed, several sections of the malware are still not used, indicating that it is likely a malware family under active development by this actor.”

Threatpost Webinar Promo Bug Bounty

Click to register.

The trojan’s information-stealing capabilities include file uploading, payload downloading/execution, browser-credential stealing (and the ability to clear browsing history and profiles), taking screenshots and keylogging. In addition, the malware can collect file listing information, delete files, reboot machines, collect information from USB drive and record audio; as well as harvest Outlook .OST files and kill/ disable Outlook processes.

An OST file, also known as an Offline Outlook Data File, is used by Microsoft accounts, Exchange accounts and Outlook.com accounts “to store a synchronized copy of your mailbox information on your local computer,” according to Microsoft. OST files may contain email messages, contacts, tasks, calendar data and other account information.

The Trojan

The trojan has been made into a Windows executable by PyInstaller, a Python package allowing applications into stand-alone executables. Once downloaded, the malware “implements its main functionality by running a loop, where it initializes different threads and calls several tasks periodically with the intent of collecting information and interacting with the C2 operator,” according to researchers.

The threat actor uses both built-in Python libraries and specific packages for information-stealing purposes – including PyAudio (enabling audio stealing capabilities) and mss (allowing screenshot capabilities).

“The usage of Python built-in libraries is expected for multiple purposes, such as interacting with Windows processes, Windows registry, networking, file system and so on,” said researchers.

PyMicropsia has relations to the Micropsia malware family, another AridViper malware known for targeting Microsoft Windows . These links include code overlaps; similar tactics, techniques and procedures (TTPs), such as the use of rar.exe to compress data for exfiltration; and similar command-and-control (C2) communication URI path structures.

Micropsia has also made references to specific themes in code and C2 implementations – including previous references to TV shows like The Big Bang Theory and Game of Thrones. Of note, in PyMicropsia’s code variables, researchers found references to multiple famous actor names, actors Fran Drescher and Keanu Reeves, which “seems in line with previous observations of themes,” said researchers.

AridViper: Active Development

While investigating PyMicropsia’s capabilities, researchers said they also identified two additional samples hosted in the attacker’s infrastructure.

The additional samples, which are downloaded and used by the trojan during its deployment, provide persistence and keylogging capabilities. They are not Python/ PyInstaller based.

While PyMicropsia is designed to target Windows operating systems only, researchers found snippets in the code that check for other operating systems (such as “posix” or “darwin”). Posix, or the Portable Operating System Interface, is a family of standards used for maintaining compatibility between operating systems; and Darwin an open-source Unix-like operating system.

“This is an interesting finding, as we have not witnessed AridViper targeting these operating systems before and this could represent a new area the actor is starting to explore,” they said. “For now, the code found is very simple, and could be part of a copy and paste effort when building the Python code, but in any case, we plan to keep it on our radar while researching new activity.”

This article was updated on Oct. 15 at 2pm ET to reflect a more accurate description of OST files.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles

Discussion

  • TheCorrector on

    OST definition is incorrect, google it, and POSIX info listed is only half right, POSIX is an attempt to create a standard version of UNIX.
  • ExchangeNinja on

    PST archives are offline files, OST are a cached version of a mailbox and not all folders in an OST sync with the server
  • Marko on

    I can't believe it's 2020 and browsers still doesn't encrypt stored credentials.. probably the easiest way to steal someone's password
  • Andre De Beer on

    How is this trojan presented to the end user? Is it linked to specific software being downloaded or certain websites they visit?
    • Tara Seals on

      Like any malware, it can be delivered via a malicious link, malicious attachment in an email, via software download or via a watering-hole (website visit) attack. The researchers didn't say how this particular sample was being delivered however.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.