Vega Stealer

Discovered in May, 2018 for the first time by Proofpoint specialists, Vega Stealer is another variant of August Stealer. It is distributed quite actively via email messages, but it has not been developed to cause problems to ordinary users, specialists say. According to them, it is more likely that this malicious application only targets companies in marketing, advertising, public relations, manufacturing, and retail fields. Because of this, it is very important to inform employees about the damage this threat can cause and how it is possible to prevent it from infiltrating computers. Unfortunately, it seems that it enters systems quite easily in most cases. It does not seek to damage the system or encrypt files on the affected computer. Instead, it is only interested in sensitive information Google Chrome and Mozilla Firefox web browsers hold. In other words, it is typical info-stealing malware. Sadly, it is not so easy to find out about its successful entrance. As a consequence, it manages to steal tons of private details before it is detected and removed. Luckily, it is not so difficult to remove this malicious application.

As you already know, cyber criminals have developed Vega Stealer so that they could steal information from companies. How is this threat distributed? Malware analysts say that this infection should be mainly spread via emails that contain the Online store developer required subject line. These emails hold the brief.doc attachment that, at first glance, seems to be an ordinary Word document. If it is opened by the user, it immediately requires enabling Macros. Once malicious Macros the document contains are enabled, Vega Stealer is executed and starts doing its dirty work. As mentioned previously, it is one of those nasty infections that steal information. To be more specific, it tries to extract information from Mozilla Firefox and Google Chrome. As has been observed by researchers, it tries to extract the following details from Google Chrome: passwords, saved credit cards, profiles, and cookies. As for Mozilla Firefox, it steals several files that, according to the official Mozilla Firefox documentation, should contain saved passwords and keys: key3.db, key4.db, logins.json, and cookies.sqlite. These are not the only activities Vega Stealer performs on affected machines. It has turned out that it also takes screenshots of the affected computer without permission. Last but not least, it searches for files that have .doc, .docx, .txt, .rtf, .xls, .xlsx, and .pdf extensions. Once they are found, they are sent to a remote Command and Control server.

As mentioned, Vega Stealer is usually distributed via emails containing a .doc file. This file contains malicious Macros, and once they are enabled, it starts working on the affected computer right away. Since it has been designed to steal information, it might cause a lot of problems to companies. Because of this, companies should ensure the maximum protection of their computers by keeping a powerful security application enabled on them. Additionally, they should educate their employees not to open all emails they receive.

Vega Stealer is not the only malicious application designed to steal information. It is very similar to another threat called August Stealer detected in 2016. At that time, this infection could be purchased on various forums. Without a doubt, cyber crooks found it quite attractive because August Stealer can be used to steal a bunch of private details, including passwords, Bitcoin wallets, cookies, specific files, and more. Generally speaking, the predecessor of Vega Stealer is much more harmful. We are sure other threats that can steal information from computers are available on the market too, and it is only a question of time when new ones are released, so it would be best to enable security software on all computers.

Even though Vega Stealer is considered a nasty infection, victims can delete it from their computers themselves. What they need to do first is to check Desktop, Downloads, and Temp folders. If suspicious files can be located, they need to be removed right away. Also, they have to inspect all files ending with .doc because brief.doc is known to be a file responsible for dropping the malicious application. It is also possible to delete Vega Stealer with a powerful antimalware scanner. In fact, this is the method we recommend users adopt because an automated tool will not leave any malicious components active.

Remove Vega Stealer

  1. Open Windows Explorer.
  2. Go to %USERPROFILE%\Downloads, %USERPROFILE%\Desktop, and %TEMP%.
  3. Remove all suspicious files.
  4. Search for a malicious .doc file and delete it if found.
  5. Empty Recycle Bin.