MrAnon Stealer Malware Targets Users via Booking Scam

A newly identified phishing campaign has surfaced, deploying the MrAnon Stealer malware via innocent-looking booking-themed PDFs, notably targeting German users in a calculated cyber assault.

The capabilities of this Python-based information stealer, compressed with cx-Freeze to slip past detection measures. MrAnon Stealer’s arsenal includes pilfering victim credentials, system data, browser sessions, and cryptocurrency extensions. The campaign’s focus on Germany becomes evident through a surge in queries to the downloader URL housing the payload, signaling November 2023 as the height of the assault.

Under the guise of a hotel reservation company, the phishing email contains a PDF. Once opened, the PDF prompts the download of a purported Adobe Flash update, initiating the infection. This leads to the execution of .NET executables and PowerShell scripts, enabling a malicious Python script to extract data to public file-sharing platforms and the threat actor’s Telegram channel.

Notably, MrAnon Stealer can extract data from various applications, instant messaging platforms, VPN clients, and specific file types listed in its target extensions. Available at a price, the authors market MrAnon Stealer for $500 monthly (or $750 for two months), accompanied by additional tools like a crypter and stealthy loader for $250 each per month.

A shift in the campaign’s strategy from disseminating Cstealer in July and August to circulating MrAnon Stealer from October onwards. This suggests a deliberate, evolving tactic using phishing emails to propagate diverse Python-based stealers.

Simultaneously, Mustang Panda, tied to China, has been identified behind a spear-phishing initiative aimed at the Taiwanese government and diplomats. The objective is deploying SmugX, a variant of the PlugX backdoor previously exposed by Check Point in July 2023. This disclosure underscores the multifaceted and evolving landscape of cyber threats faced by governments and entities worldwide.

To prevent this attack, user must employ robust email filters to flag suspicious attachments, especially those masquerading as common document types. Regularly update software to patch vulnerabilities exploited by malware. Train employees to recognize phishing emails and refrain from downloading or opening attachments from unknown or unverified sources.