Malware Uses Password Recovery App to Extract Credentials Stored in Browser

Trend Micro experts examine a Trojan called PASSTEAL

Most of the pieces of malware designed to steal user credentials log keystrokes in order to collect the information. However, a new threat called PASSTEAL (TSPY_PASSTEAL.A) relies on a password recovery app to accomplish the task.

According to Trend Micro researchers, the malware collects the information stored in web browser by sniffing out accounts from different online services and applications. The sample analyzed by the security firm contains the PasswordFox app designed to work with Firefox.

“In effect, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS),” Alvin John Nieto, threat response engineer at Trend Micro, explained.

“Some sites that use this connection includes Facebook, Twitter, Pinterest, Tumblr, Google, Yahoo, Microsoft, Amazon, EBay, Dropbox and online banking sites. PASSTEAL also doesn’t restrict itself to browser applications. Certain variants are designed to log information from applications such as Steam and JDownloader.”

After it extracts the valuable data, the malicious element executes a command to save all the information into a .xml file. Based on this .xml file, a text (.txt) file is also created.

Once all the information is gathered, the malware connects to a remote FTP server and uploads the files.

This tactic is similar to the one deployed by the image-stealing malware (PIXSTEAL) identified last week. Because of this, experts believe there might be a connection between PIXSTEAL and PASSTEAL.

So far, over 400 computers have already been infected with PASSTEAL.

The information stolen by this malware can be monetized in numerous ways. It can be utilized for identity fraud or it can be sold to other cybercriminal groups.

Experts say that the best way to avoid falling victim to such malware is by storing passwords in third-party apps, such as the Trend Micro DirectPass, instead of the browser.

Hot right now  ·  Latest news