Search This Blog

Powered by Blogger.

Blog Archive

Labels

MrAnon Stealer Propagates via Email with Fake Hotel Booking PDF

The deployment of a malicious PDF file sets off a chain of actions that culminates in the activation of the MrAnon Stealer malware.

 

FortiGuard Labs cybersecurity experts have discovered a sophisticated email phishing scheme that uses fraudulent hotel reservations to target unsuspecting victims. The phishing campaign involves the deployment of an infected PDF file, which sets off a chain of actions that culminates in the activation of the MrAnon Stealer malware. 

The attackers, as initially reported by Hackread, conceal themselves as a hotel reservation company rather than depending on complicated technical means. They send phishing emails with the subject "December Room Availability Query," which contain fake holiday season booking details. A downloader link included within the malicious PDF file initiates the phishing attempt. 

Following an investigation, FortiGuard Labs experts discovered a multi-stage process involving.NET executable files, PowerShell scripts, and fraudulent Windows Form presentations. The attackers expertly navigate through these steps, using techniques such as fake error messages to mask the successful execution of the MrAnon Stealer malware. 

The MrAnon Stealer runs in the background, employing cx-Freeze to compress its actions and bypass detection measures. Its meticulous approach includes screenshot capture, IP address retrieval, and sensitive information retrieval from various applications. 

MrAnon Stealer, according to FortiGuard Labs, can steal information from bitcoin wallets, browsers, and messaging apps such as Discord, Discord Canary, Element, Signal, and Telegram Desktop. It specifically targets VPN clients such as NordVPN, ProtonVPN, and OpenVPN Connect. The attackers employ a Telegram channel as a means of exchange for command and control. Using a bot token, the stolen data is sent to the attacker's Telegram channel, along with system information and a download link.

As evidenced by the spike of requests for the downloader URL in November 2023, this malware campaign was aggressive and actively running, with a primary target on Germany. The hackers demonstrated a calculated strategy by switching from Cstealer in July and August to the more potent MrAnon Stealer in October and November. 

Users are strongly advised to take cautious, especially when dealing with unexpected emails containing suspicious files, as online vulnerabilities are at an all-time high. Vigilance and common sense are the keys to thwarting cybercriminal activities because they safeguard against the exploitation of human flaws and ensure online security.
Share it:

Data Privacy

Info Stealer

Malicious Files

malware

Phishing Campaign