BI.ZONE: cybercriminals steal corporate passwords using open‑source software
It is noteworthy that the malware source codes are publicly available to anyone on GitHub, an internet hosting service for software development.
To deliver Umbral Stealer to corporate networks, the intruders chose a simple but effective method: phishing emails. They attached ISO files (disc images) with malicious shortcuts. The attackers disguised them as documents named “Raider Plan.” Opening such a shortcut triggered the device compromise.
Umbral Stealer allows threat actors to evade defenses, escalate privileges, collect information about compromised systems, and extract authentication data from such apps as Brave, Chrome, Chromium, Comodo, Edge, Epic Privacy, Iridium, Opera, Opera GX, Slimjet, UR Browser, Vivaldi, Yandex Browser, Roblox, Minecraft, and Discord. Many of these applications may store not only the login data for personal accounts, but also for corporate ones. That is, it may enable threat actors to gain initial access to their target organizations or, for example, use email access for internal spear phishing or further business email compromise.
The stealer does not use traditional means of communication with the command and control infrastructure. Instead, it uses the Discord messenger.
To reduce the risk of such attacks, it is necessary to improve email security: vulnerable email is the preferred distribution vector for operators of malware such as Umbral Stealer. It is important for a company to have the capacity to stop a cyberattack at any stage of its development. Thus, we recommend delegating the detection, response, and prevention of cyber threats to security event monitoring experts.