Share this article on:
A new phishing scam is doing the rounds, tricking hotel owners into installing malware called MrAnon Stealer.
Researchers at FortiGuard Labs have spotted an email phishing scam spreading malware via fake hotel reservation emails.
The email pretends to be on behalf of a booking company and is headed “December Room Availability Query”, addressed to a hotel. The email contains fake customer booking details and a document called Booking.pdf, which, when opened, triggers a PowerShell script to kick off the infection process.
A false Adobe error message is displayed as a part of the process, hiding the infection process. “Clean” DLLs are downloaded alongside malware simply named python.exe, which covers up the eventual loading of the malware itself – MrAnon Stealer.
Once executed, the final malware payload looks for and terminates several processes related to cryptocurrency wallets, VPNs, and messaging services, as well as the video game service Steam. It then links to legitimate websites to determine the host machine’s IP address and country before gathering data from crypto wallets and any browsers running on the machine.
MrAnon Stealer can also track data from messaging apps such as Discord and Telegram, as well as VPN clients and a long list of browser-based wallets. Steam is also a target, and it can scan the desktop, documents, downloads, and pictures folders for specific file extensions, such as .csv, .sql, and .xlsx.
The gathered data is then compressed, password-protected, and finally uploaded to a file-sharing website. Those details are then posted to the attacker’s Telegram channel via a bot token.
A separate website for the malware offers a range of purchasing options for using the tool, starting at US$500 a month.
The campaign itself appears to have evolved over time, moving through several malware options. Currently, the campaign is mainly targeting victims in Germany, but other countries have been targeted.
“The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November,” Fortinet’s researchers said in a blog post.
“This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.