Now a malware might be stealing saved credentials from Chrome, Firefox Browsers. Recently, researchers have discovered a malware called Vega Stealer that might have been designed to harvest financial data from the saved credentials of Google Chrome and Mozilla Firefox browsers. This malware is again another variant of August Stealer crypto-malware that steals credentials, sensitive documents, cryptocurrency wallets, and other details stored in the two browsers. As of now, the Vega Stealer is only used for small phishing campaigns, but researchers have believed that the malware can potentially result in major organizational level attacks.

According to the researchers from Proofpoint, a campaign was found to be targeting Marketing/ Advertising/ Public Relations, and Retail/ Manufacturing industries with a new malware. With this, the researchers have observed and blocked a low-volume email campaign with subjects such as ‘Online store developer required’. This email also contains an attachment called ‘brief.doc’, which contains malicious macros that download the Vega Stealer payload. They have also added that while some emails were sent to individuals, others were sent to distribution lists including ‘info@’, ‘clientservice@’, and ‘publicaffairs@’ at the targeted domains. It is an approach that has the effect of amplifying the number of potential victims.


To know more, the Vega Stealer ransomware allegedly takes special aim at those in the marketing, advertising, public relations, and retail/ manufacturing industries. Here, once the document is downloaded and opened, a two-step download process is initiated. Here, the report also added that “The first request executed by the document retrieves an obfuscated JScript/PowerShell script. The execution of the resulting PowerShell script creates the second request, which in turn downloads the executable payload of Vega Stealer. The payload is saved to the victim machine in the user’s “Music” directory with a filename of ‘ljoyoxu.pkzip’. Once this file is downloaded and saved, it is executed automatically via the command line.”

Vega Stealer is written in .NET and aims to steal saved credentials such as passwords, saved credit cards, profiles, and cookies, and payment information in Google Chrome. Also, in the Firefox browser, the malware harvests specific files – ‘key3.db,’ ‘key4.db,’ ‘logins.json,’ and ‘cookies.sqlite’ – which store different passwords and keys.

The researchers have also claimed that the document macro and URLs involved in the campaign suggest that the same threat actor would be responsible for campaigns spreading financial malware. They could not attribute Vega Stealer to any specific group, however, was able to associate this malware with other types now being used. They have also added that the malicious macro is available for sale and threat actors are using it by pushing the Emotet banking trojan. Meanwhile, the URL patterns from which the macro retrieves the payload are the same as those used by an actor who distributes the Ursnif banking trojan, which often downloads secondary payloads such as Nymaim, Gootkit, or IcedID.


While Vega Stealer is also not the most complex malware in circulation today, it does demonstrate the flexibility of malware, authors, and actors to achieve criminal objectives.

To conclude, and in order to be safe, Ankush Johar, Director at Infosec Ventures, regarded in his press statement that, “Organisations should take cyber awareness seriously and make sure that they train their consumers and employees with what malicious hackers can do and how to stay safe from these attacks. One compromised system is sufficient to jeopardize the security of the entire network connected with that system.”