mranon-stealer-malware

Introduction:

In this report, we give an outline of malware, its evolution, potential threats and possible ways of improving Security Information and Event Management (SIEM) Systems. This MrAnon Stealer malware campaign is a highly-sophisticated threat that capitalizes on social engineering techniques to exploit human weaknesses.

Malware overview:

The Python-based information stealer is called MrAnon Stealer, which is designed as a phishing email for hotel reservations. In a multi-stage approach, the attackers use .NET executables, PowerShell scripts and cleverly made Windows Form presentations. Quietly running in the background, this malware steals sensitive data from different applications compresses it with cx-Freeze to evade detection and leaks it online using a public file-sharing website.

Upgrade and new threat vector:

The campaign has shown a strategic evolution, transitioning from Cstealer to MrAnon Stealer. The attackers exploit the holiday season with phishing emails masquerading as hotel reservation details. The malware targets Germany primarily, as indicated by a surge in queries for the downloader URL. This dynamic approach reflects the adaptability of cybercriminals to current events.

SIEM rules refinement:

Refining SIEM rules is a very important step in improving defenses against MrAnon Stealer and other similar threats. SIEM rules need to be fine-tuned to focus on identifying any suspicious activities linked to .NET executables, PowerShell scripts, and unexpected communication channels such as Telegram. Moreover, abnormal data exfiltration patterns should be monitored for as well as IP addresses tied to malware’s command and control infrastructure.

Indicators of Compromise (IOCs):

  • Downloader SHA256: a522a039ec619a60618c2c8a9e65adb0ff6105b655c1f9b3796e52e0d25958cb
  • Second stage SHA256: 22109901f8290dc2319bd9b49e6bf71f9ddc1af482ddb67fc6e1c3b09ecad9c8
  • Third stage SHA256: bf5259bf53e3747d37d21dbf43b54ff8fa3c57fc991b53fcd320658b6cf34db9

Conclusion:

The MrAnon Stealer malware campaign underscores the importance of continuous vigilance and proactive cybersecurity measures. As attackers evolve their strategies, organizations must refine their defenses, educate users, and leverage advanced threat detection mechanisms. By staying informed and implementing preventive measures, businesses can mitigate the risk posed by this and similar threats.

Reference:

https://thehackernews.com/2023/12/new-mranon-stealer-targeting-german-it.html

https://www.techtimes.com/articles/299657/20231212/beware-fake-hotel-reservation-mranon-stealer-phishing-scam-steals-data.htm

https://gbhackers.com/letscall-ip-phishing/

# Managed Security Services # SIEM

Recent Threat Bulletin

A report on Jenkins CVE-2024-23897 vulnerability
Ivanti Zero-Day Vulnerabilities: Connect Secure and IPS
Unmasking Androxgh0st: A deep dive to safeguard your network

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.

logo-img

Positka specializes in high-end technology solutions to help businesses improve their IT infrastructure with advanced Security Protocols, excellence in Analytics, Streamlined IT Operations, & around-the-clock Managed services.

Quick Links

Services

Copyright Positka © . All Rights Reserved.