HTTPS, SSL No Match for PASSTEAL Malware

Since information is the new currency, cybercriminals are constantly formulating schemes to steal precious data from users. PASSTEAL, their latest attempt at information-stealing, incorporates a password recovery tool that effectively gathers login credentials – even for websites with secured connection.

We have noted several infostealing malware in the past, including TSPY_PIXSTEAL.A that collects image files and sending these to remote FTP servers. PASSTEAL exhibits certain behavior similar to PIXSSTEAL, but this malware steals information quite differently.

TSPY_PASSTEAL.A Gathers Info Stored in Browsers

Detected as TSPY_PASSTEAL.A, this infostealer sniffs out accounts from different online services and applications to steal login credentials and stores these in a .TXT file named {Computer name}.txt.

Unlike most info stealing malware that logs keystrokes to gather data, PASSTEAL uses a password recovery app to extract passwords stored in the browser. The particular sample we analyzed contains compressed data, which is the app “PasswordFox” designed for Firexfox.

Once PASSTEAL extracts the data, it executes the command-line switch “/sxml” to save the stolen credentials in an .XML file, which the malware also uses to create a .TXT file. PASSTEAL then connects to a remote FTP server to store the collected information.

In effect, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS). Some sites that use this connection includes Facebook, Twitter, Pinterest, Tumblr, Google, Yahoo, Microsoft, Amazon, EBay, Dropbox and online banking sites.

PASSTEAL also doesn’t restrict itself to browser applications. Certain variants are designed to log information from applications such as Steam and JDownloader.

During our research, we found out that the malware has already infected more than 400 systems. Because of similarity in data extraction routine (FTP upload), PASSTEAL and PIXSTEAL were possibly created by the same cybercriminals.

Once login credentials are stolen, cybercriminals may incorporate these into their illegal schemes such as identity fraud. To gain profit, they can also sell the stolen email addresses to spammers or other cybercriminals groups.

Once they gain access to victims’ online banking account, these crooks may also conduct illegal fund transfers and transactions, leaving users with actual monetary loss.

Secure Your Passwords

Clear your cache. Change passwords regularly. Security tips we often hear but rarely taken to heart. But with PASSTEAL’s capability to extract data from browsers, users may need to observe these best practices routinely to reduce risk of data theft. Instead of storing passwords in browsers, another option is for users to utilize password managing tools like Trend Micro DirectPass to effectively handle and store their multiple passwords.

To know more about how to protect numerous passwords from cybercrime, you may read our Digital Life e-Guide How to Secure Your Multiple Online Accounts.

Online services like Google, Dropbox, and Facebook offers two-factor authentication (TFA) that provides an additional layer of security. This method generates a code that users need to access their accounts, aside from username and password. This code is sent to a user’s mobile phone as an SMS or voice message. With this measure in place, we can make it harder for online criminals to access our online account.

Trend Micro Smart Protection Network detects and deletes TSPY_PASSTEAL.A and blocks access to the aforementioned FTP server.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

HTTPS, SSL No Match for PASSTEAL Malware