Vector Stealer Snatches RDP Files

Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: Cyble

Information-stealing malware is often deployed to obtain user credentials, along with sensitive personal and financial information. New info-stealer, ‘Vector Stealer’ has been circulating cybercrime forums in the second half of 2022, adding the capability to steal rdp files to enable threat actors to hijack RDP sessions. A report by researchers from Cyble Research and Intelligence Labs (CRIL) discovered the threat actors operating the malware to utilize both a web panel and Telegram channel. Within the web panel, the info-stealer is claimed to be capable of retrieving "sensitive information from all major browsers, including Firefox, Chrome, and Safari. It can also steal Discord tokens and sensitive files and gather basic information about the infected computer.” The web panel also supplies the threat actor with all the necessary components to create the malware "without having advanced programming skills." Another malware is advertised on the web panel named, 'KGB crypter' capable of disabling antivirus solutions. A 99.8% success rate of bypassing Windows Defender is advertised in the web panel.

An infection chain involving Vector Stealer was observed to be delivered through a phishing email carrying a malicious document with malicious macros. When the macro is enabled and triggered, a PowerShell script downloads and executes a malicious payload from a remote server. The stealer will create persistence with a scheduled task and "spawns a new process that loads the next level payload using KoiVM. KoiVM is a virtualizing protector for .NET applications and is made to work with ConfuserEx. The KoiVM is designed to change the .NET opcodes into new ones only a virtualizing agent can understand." KoiVM is responsible for loading Vector Stealer and from there, the info-stealer can target data from applications, query registry data for sensitive information, and grabs files with the .rdp extension. The relevant data is staged in a folder under the TEMP directory, zipped, and exfiltrated either through SMTP, Discord webhooks, or the Telegram API. The capabilities of Vector Stealer can be obtained for the value of $63 USD in BitCoin, a relatively low price to acquire the tool and earn a profit by stealing data.

Anvilogic Scenario:

• Malicious File Delivering Malware

Anvilogic Use Cases:

• Create/Modify Schtasks
• Network Connection with Suspicious Folder
• RDP Hijacking

‍