The Uptycs Threat research team has revealed a new malware campaign, targeting Italy with phishing attacks in order to deploy information-stealing malware on victims’ compromised Windows systems.
According to Uptycs security researcher Karthickkumar Kathiresan, the malware campaign is designed to acquire sensitive information like system details, cryptocurrency wallet information, browser histories, cookies, and login credentials of crypto wallets.
Details of the Campaign
- The multiple-stage infection sequence begins with an invoice-themed phishing email that comprises a link that downloads a password-protected ZIP archive file containing two files: A shortcut (.LNK) file and a batch (.BAT) file.
- Irrespective of what file has been deployed, the attack chain remains the same, fetching a batch script that installs an information-stealing payload from a GitHub repository. This is achieved by utilizing a legitimate PowerShell binary that as well is retrieved from GitHub.
- After being installed, the C#-based malware gathers system metadata and information from a variety of web browsers and cryptocurrency wallets, and then it transfers that data to a domain that is under the authority of an actor.