Security researchers from McAfee have come across a compromised Web server used to host C&C servers for different password stealers, used to target several companies as part of an industrial espionage campaign.
The mistake that allowed researchers to put all clues together was the crook’s lack of attention to detail, forgetting to delete the C&C server’s ZIP installation package from one of the compromised Web servers used to host several C&C servers.
By looking at the files in this ZIP file and the C&C server source code, McAfee researchers quickly identified the server-side component of the ISR Stealer, a modified version of the Hackhound infostealer, an ancient piece of malware first spotted in 2009.
Crooks targeted companies that handled machinery parts
Researchersthat crooks used the IRS Stealer malware builder to create a password stealer capable of stealing login credentials from applications such as Internet Explorer, Firefox, Google Chrome, Opera, Safari, Yahoo Messenger, MSN Messenger, Pidgin, FileZilla, Internet Download Manager, JDownloader, and Trillian.
Crooks were spreading this custom password stealer as RAR or Z files sent via spear-phishing emails to various companies that deal with machinery parts.
These RAR and Z files contained executables that would load the password-stealing malware. If victims would download the RAR/Z files and execute the EXE file found inside, the malware would collect all available passwords and would submit the data to the C&C server as an HTTP request.
Campaign started back in January 2016
The IRS Stealer server-side component would accept the submitted data only if the user agent string was “HardCore Software For : Public”, specific to its client-side component. The data would then be saved to a local INI file.
Looking back at historical data, McAfee researchers discovered that this campaign had actually started back in January 2016 and that the crooks had compromised different websites where they hosted their C&C servers.
On one of these compromised websites, researchers discovered over ten C&C servers that were receiving data from different victims, showing that criminals weren’t targeting just one company, but an entire class of firms that operated in one specific activity sector.