Saturday, December 14, 2024
HomeCyber Security NewsMrAnon Stealer Attacking Windows Users Via Weaponized PDF Files

MrAnon Stealer Attacking Windows Users Via Weaponized PDF Files

Published on

SIEM as a Service

Phishing emails targeting Windows users were discovered, tricking users into opening a malicious PDF file called “MrAnon Stealer” that spreads malware by using fake booking details.

To obtain the final malware, the PowerShell script is executed by the PDF after it has downloaded a.NET executable file made with PowerGUI.

Credentials, system data, browser sessions, and cryptocurrency extensions were all stolen by Mr. Alan Stealer.

- Advertisement - SIEM as a Service

Attack Flow of MrAnon

According to FortiGuard Labs, this malware is a Python-based information stealer that has been compressed with cx-Freeze to avoid detection.

The majority of queries to the downloader URL came from Germany, indicating that the country was the attack’s main target.

November 2023 had a notable increase in the number of inquiries for this URL, suggesting a more vigorous and active marketing during that month.

Attack Flow
Attack Flow

Posing as a company seeking to book hotel rooms, the attacker sends phishing emails with the subject line “December Room Availability Query.” The body includes fake hotel reservation information for the upcoming holidays. 

Phishing Email
Phishing Email

Researchers say a downloader link for the malicious PDF file is concealed in the stream object.

The malicious PDF file
The malicious PDF file

Researchers discovered that the malware employed the PowerShell script editor, which converts PowerShell scripts into Microsoft executable files, by looking through the strings in the class “Loader.”

“The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar. Additionally, it defines text within the execution of the subsequent script to mitigate user suspicions”, FortiGuard Labs shared in a report with Cyber Security News.

In this scenario, a window labeled “File Not Supported” appears along with a status message that reads, “Not Run: python.exe.” This misleading presentation aims to trick users into thinking that the malware hasn’t been effectively executed.

“The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves .NET executable files and PowerShell scripts,” researchers said.

MrAnon Stealer’s support channel offers more features, advertises the product, and has a page where users can buy all related tools.

MrAnon Stealer's telegram channel
MrAnon Stealer’s telegram channel

Data and sensitive information are stolen from many applications, compressed, and uploaded to the threat actor’s Telegram channel and a public file-sharing website. As a result, users are cautioned to avoid opening suspicious PDF files and phishing emails.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...