MrAnon Stealer

A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures.

"This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions."

There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried.

Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash.

Cybersecurity

Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which is capable of gathering data from several applications and exfiltrating it to a public file-sharing website and the threat actor's Telegram channel.

It's also capable of capturing information from instant messaging apps, VPN clients, and files matching a desired list of extensions.

MrAnon Stealer

MrAnon Stealer is offered by the authors for $500 per month (or $750 for two months), alongside a crypter ($250 per month) and a stealthy loader ($250 per month).

"The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November," Lin said. "This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers."

The disclosure comes as the China-linked Mustang Panda is behind a spear-phishing email campaign targeting the Taiwanese government and diplomats with an aim to deploy SmugX, a new variant of the PlugX backdoor that was previously uncovered by Check Point in July 2023.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.