The email looks harmless and can result in a destination clicking on a file attached next to the message. But therein lies the danger of creating a malicious HTML file with this attachment that executes Javascript and starts the mass logger infection process.
This latest variant of malware can steal user credentials from a wide variety of popular programs. Applications highlighted include Google Chrome, Chromium-supported browsers like Microsoft Edge, Outlook, Discord, and NordVPN.
Cisco Talos explained what happens if your credentials are stolen: “Once the credentials are retrieved by target applications, they are sent with a filename that includes the username, two-letter country ID, unique computer ID, and time stamp , uploaded to the exfiltration server for when the file was created.
“Uploaded credential files begin with information about the user and the infected system, the configuration options and processes that were run, followed by the credentials retrieved, delimited by lines of target application names.”
So far, this malware campaign has not reached the UK or the US, targeting regions such as Italy, Turkey and Spain. Cisco Talos emails indicate that attackers are targeting specific business goals.
