August Stealer is a Trojan that has been developed by crooks to steal valuable information. Even though it was first detected around the 20th of October, 2016, it is possible to purchase it on underground forums today too, so it is not surprising that it is still active. August Stealer is distributed via socially-engineered emails containing a malicious attachment. Additionally, it uses some techniques that make it possible for it not to get caught. Because of this, it takes time for victims to detect August Stealer on their computers. In other words, when it is detected, the author of this Trojan infection has some private information in its hands. The longer it stays active, the more information it will steal. It is known that August Stealer might be dropped in the Music directory as ljoyoxu.pkzip, but there are no guarantees that it is the only malicious component you will have to take care of, so it would be best to clean the system using an automated malware remover.
The malicious macro that drops August Stealer on victims’ computers can be purchased on the dark web. Then, the cyber criminal who purchased it has to think about its distribution. There is a possibility that August Stealer will be distributed somehow differently in the future, but, at the time of research, it was mainly spread via emails addressing some kind of issue. It seems that these emails were sent to customer service departments of large companies only, but, theoretically, August Stealer might be used to steal information from individual users too. We do not say that this will be easy, but users can recognize these emails distributing August Stealer. If they could do this, they would definitely not end up with this infection. The thorough analysis showed that this infection is usually distributed as a Word Document (.doc), so if you receive an email holding such an attachment, you should inspect it very carefully before opening it. What else can show that the email is malicious is its subject line. If it contains one of the following subject lines, there is a huge possibility that it promotes August Stealer:
As mentioned, it is more likely that August Stealer targets companies rather than individual users more commonly, but they should still be more cautious and do not keep their PCs unprotected, security specialists say.
August Stealer is an info-stealing Trojan infection that has been developed to steal data from affected computers. Malware analysts have observed that this malicious application can steal information from browsers (e.g. Mozilla Firefox, Google Chrome, Vivaldi Browser, U Browser, etc.), FTP clients (FileZilla, CoreFTP, SmartFTP, WinSCP, Total Commander, etc.), IM clients (Windows Live, Psi, etc.), cryptocurrency wallets, RDP remote connection files, and some other files and documents. Also, it sends some purely technical information to its C&C server about the affected computer. It records OS name, hardware ID, victim’s username, and some other information. Also, it checks whether there is a security application enabled on the victim’s computer.
It seems that August Stealer is primarily distributed via emails containing the .doc attachment. Unfortunately, it is still not very easy to detect it because this infection comes obfuscated with Confuser. Additionally, a fileless approach is used in the malicious campaign. Finally, it has been observed that PowerShell is used to drop the Trojan infection. As mentioned at the beginning of the report, August Stealer should be dropped as ljoyoxu.pkzip, but there are no guarantees that it is the only malicious component it has, so this Trojan should be removed automatically, i.e. with a powerful malware remover to erase other malicious items at the same time.
Proofpoint Staff. August in November: new information stealer hits the scene. Proofpoint website