# Phishing Attacks Employ Old but Effective Password Stealer **[securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/](https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/)** July 21, 2016 [Oliver Devane](https://www.mcafee.com/blogs/author/oliver-devane/) Jul 21, 2016 6 MIN READ A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage. The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site. This enabled us to see how the back-end of the panel works. The Zip file contains five files: The three files of interest are config.php, index.php, and install.php. Config.php contains the password for the MySQL server they will set up. ----- Install.php creates the database and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code: We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the popular PWS Hackhound Stealer, which was released in 2009. We also found this warning at the end of the code: Surely they would have remembered to delete this file! The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data. ----- It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.” This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded. The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code. The PWS targets the following applications: Internet Explorer Firefox Chrome Opera Safari Yahoo Messenger MSN Messenger Pidgin FileZilla Internet Download Manager JDownloader ----- Trillian The following screen of the original Hackhound Stealer shows options for building the malware: This screen of the ISR Stealer builder was used by the actors behind the campaign. ----- ISR Stealer uses two executables to gather passwords stored on the machine: Mail PassView and WebBrowserPassView, both by Nirsoft. These apps gather passwords stored in mail clients and web browsers. Both of these files reside in the resources of the ISR Stealer. The panel location is also stored in the malware’s resources, in a simple encrypted form with SUB 0x02. _An encrypted URL._ _A decrypted URL._ We did some more digging and found that the actors responsible for this malware have been active since the beginning of 2016, with the first sample spotted in the wild in January. The following spear-phishing emails were sent to entice targets to download and execute the PWS: ----- ----- The actors have been busy for several weeks, although we saw no activity during the Easter holiday. After “Easter break,” we noticed that they had slightly changed the panel. It now includes the string “Powered By NEW LINE OF *** **U TEAMS VERSION 2.1.” ----- One compromised website had more than 10 access panels receiving stolen passwords from the PWS. We observed that some of the targets of the spear phishing are companies that deal with machinery parts. The actors used some of the following filenames: (RFQ__1045667machine-oil valves).exe ButterflyCheckVALVES.exe BALL VALVE BIDDING.exe RFQ BALL VALVE.exe Ball Valves with BSPP conection.exe These names lead us to believe that industrial espionage might be a motive of the actors. ----- We have also noticed that they are attaching the malware with a “.z” extension. This is likely because some popular ZIP file handlers will associate this file extension with their programs and allow users to extract it. Using .z also bypasses some popular cloud email file restrictions. ----- We contacted the website owners used by the actors and informed them of the compromise so that they could remove the panels. **Prevention** McAfee detects this threat as PWS-FCGH. We advise you block .z file extensions at the gateway level. This step will prevent other malware from using this technique in their phishing campaigns. [Oliver Devane Research Scientist](https://www.mcafee.com/blogs/author/oliver-devane/) Oliver Devane is currently a Senior Security Researcher at McAfee. He is based in the UK office and has over 10 years of experience analyzing Malware and Potentially Unwanted Programs. ## More from McAfee Labs [Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-talk-on-cryptocurrency/%20) By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15... May 05, 2022 | 4 MIN READ ----- [Instagram Credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20) Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who... May 03, 2022 | 4 MIN READ [Instagram Credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20) Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many... May 03, 2022 | 6 MIN READ [Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20) Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to current events, so... Apr 01, 2022 | 7 MIN READ [Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20) Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions... Mar 10, 2022 | 8 MIN READ ----- [Why Am I Getting All These Notifications on my Phone?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/why-am-i-getting-all-these-notifications-on-my-phone/%20) Authored by Oliver Devane and Vallabh Chole Notifications on Chrome and Edge, both desktop browsers, are commonplace,... Feb 25, 2022 | 5 MIN READ [Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20) In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was... Feb 04, 2022 | 4 MIN READ [HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20) Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,... Dec 13, 2021 | 6 MIN READ ----- [‘Tis the Season for Scams](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tis-the-season-for-scams/%20) ‘Tis the Season for Scams Nov 29, 2021 | 18 MIN READ [The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/%20) Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors... Nov 10, 2021 | 4 MIN READ [Social Network Account Stealers Hidden in Android Gaming Hacking Tool](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/social-networks-account-stealer-hidden-in-android-gaming-hacking-tool/%20) Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of malware that specifically... Oct 19, 2021 | 6 MIN READ ----- [Malicious PowerPoint Documents on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/%20) Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available... Sep 21, 2021 | 6 MIN READ -----