Cybersecurity researchers have discovered a new targeted malspam operation that is distributing malware designed to steal passwords.
The campaign was found by Sophos X-Ops and detailed in an advisory released today.
According to the report, the attackers used social engineering techniques, sending emails with complaints about service issues or requests for information to gain the trust of their targets before sending malicious links.
This approach is similar to a previous campaign that was uncovered leading up to the US federal tax filing deadline in April 2023.
Researchers Andrew Brandt and Sean Gallagher from Sophos explained that the attackers used a wide range of social engineering tactics, including complaints about violent incidents or theft during a guest’s stay and requests for information on accommodating guests with specific needs.
Once the hotel responded to the initial inquiry, the threat actors sent follow-up messages containing supposed documentation or evidence, which contained a malware payload hidden in a password-protected archive file.
The attackers shared the files from public cloud storage services, such as Google Drive, using simple passwords like “123456” to enable victims to open the archives.
The malware payloads were designed to evade detection, with large files exceeding 600 MB in size, containing mostly space-filler zeroes.
Additionally, the malware was signed with code-validation certificates, some of which are new and obtained during the campaign, while others appear to be fake.
The malware, identified as Redline Stealer or Vidar Stealer variants, connected to a Telegram channel for command-and-control purposes. It exfiltrated data, including desktop screenshots and browser information, without establishing persistence on the host machine.
Read more on this malware: RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool
Sophos X-Ops stated that they have retrieved over 50 unique samples from cloud storage linked to this campaign, and indicators of compromise have been published on their GitHub repository.
“We have also reported the malicious links to the various cloud storage providers hosting the malware,” reads the advisory. “Most of those samples displayed few-to-no detections in Virustotal.”