July 25, 2016
Security researchers from McAfee have come across a compromised Web server meant to host C&C servers for different password stealers, which were used to target several companies as part of an industrial espionage campaign.
The mistake that allowed researchers to put all clues together was the crook’s lack of attention to detail since they forgot to delete the C&C server’s ZIP installation package from one of the compromised Web servers used to host several C&C servers.
By looking at the files in this ZIP file and the C&C server source code, McAfee researchers quickly identified the server-side component of the ISR Stealer, a modified version of the Hackhound infostealer, which, in turn, was an ancient piece of malware first spotted in 2009.
Crooks targeted companies that handled machinery parts
Researchers discovered that crooks used the IRS Stealer malware builder to create a password stealer capable of stealing login credentials from applications such as Internet Explorer, Firefox, Google Chrome, Opera, Safari, Yahoo Messenger, MSN Messenger, Pidgin, FileZilla, Internet Download Manager, JDownloader, and Trillian.
Crooks were spreading this custom password stealer as RAR or Z files sent via spear-phishing emails to various companies that deal with machinery parts.