Malicious actors have been deploying the new and advanced Chihuahua Stealer malware in intrusions initially detected by a user on the r/antivirus subreddit, Infosecurity Magazine reports.
Attacks involved the utilization of lures to execute an obfuscated PowerShell script from a Google Drive document, triggering a multi-stage infection chain that includes the decoding and reconstruction of an obfuscated hex payload and job scheduling for persistence before the eventual execution of the information-stealing malware, according to an analysis from G Data CyberDefense. After showing transliterated Russian rap lyrics on the targeted system as a signature, Chihuahua Stealer runs its primary logic to gather and obscure system details used to generate a unique victim ID before proceeding with the exfiltration of browser data and cryptocurrency wallet extension files and self-deletion activities, said researchers. Organizations were urged to avert the threat posed by the Chihuahua Stealer by continuously monitoring suspicious scheduled PowerShell jobs and atypical files within the Recent or Temp directories, as well as identifying potential Base64 decoding and .NET reflection in PowerShell logs.
Attacks involved the utilization of lures to execute an obfuscated PowerShell script from a Google Drive document, triggering a multi-stage infection chain that includes the decoding and reconstruction of an obfuscated hex payload and job scheduling for persistence before the eventual execution of the information-stealing malware, according to an analysis from G Data CyberDefense. After showing transliterated Russian rap lyrics on the targeted system as a signature, Chihuahua Stealer runs its primary logic to gather and obscure system details used to generate a unique victim ID before proceeding with the exfiltration of browser data and cryptocurrency wallet extension files and self-deletion activities, said researchers. Organizations were urged to avert the threat posed by the Chihuahua Stealer by continuously monitoring suspicious scheduled PowerShell jobs and atypical files within the Recent or Temp directories, as well as identifying potential Base64 decoding and .NET reflection in PowerShell logs.
