Crooks used ISR Stealer, a modified version of Hackhound

Jul 25, 2016 01:05 GMT  ·  By
Industrial espionage campaign used spear-phishing campaign and ISR Stealer malware
2 photos
   Industrial espionage campaign used spear-phishing campaign and ISR Stealer malware

Security researchers from McAfee have come across a compromised Web server meant to host C&C servers for different password stealers, which were used to target several companies as part of an industrial espionage campaign.

The mistake that allowed researchers to put all clues together was the crook's lack of attention to detail since they forgot to delete the C&C server's ZIP installation package from one of the compromised Web servers used to host several C&C servers.

By looking at the files in this ZIP file and the C&C server source code, McAfee researchers quickly identified the server-side component of the ISR Stealer, a modified version of the Hackhound infostealer, which, in turn, was an ancient piece of malware first spotted in 2009.

Crooks targeted companies that handled machinery parts

Researchers discovered that crooks used the IRS Stealer malware builder to create a password stealer capable of stealing login credentials from applications such as Internet Explorer, Firefox, Google Chrome, Opera, Safari, Yahoo Messenger, MSN Messenger, Pidgin, Filezilla, Internet Download Manager, JDownloader, and Trillian.

Crooks were spreading this custom password stealer as RAR or Z files sent via spear-phishing emails to various companies that deal with machinery parts.

These RAR and Z files contained executables that would load the password-stealing malware. If victims download the RAR/Z files and execute the EXE file found inside, the malware would collect all available passwords and would submit the data to the C&C server as an HTTP request.

Campaign started back in January 2016

The IRS Stealer server-side component accepted the submitted data only if the user agent string was "HardCore Software For : Public," specific to its client-side component. The data would then be saved to a local INI file.

Looking back at historical data, McAfee researchers discovered that this campaign had actually started back in January 2016 and that the crooks had compromised various websites where they hosted their C&C servers.

On one of these compromised websites, researchers discovered over ten C&C servers that were receiving data from different victims, showing that criminals weren't targeting just one company, but an entire class of firms that operated in one specific activity sector.

Original Hackhound builder
Original Hackhound builder

Photo Gallery (2 Images)

Industrial espionage campaign used spear-phishing campaign and ISR Stealer malware
Original Hackhound builder
Open gallery