Phishing Attacks Employ Old but Effective Password Stealer

A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage.


The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site.


This enabled us to see how the back-end of the panel works. The Zip file contains five files:


The three files of interest are config.php, index.php, and install.php.

Config.php contains the password for the MySQL server they will set up.


Install.php creates the database and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code:


We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the popular PWS Hackhound Stealer, which was released in 2009.

We also found this warning at the end of the code:


Surely they would have remembered to delete this file!


The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data.


It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.”


This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded.


The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code.

The PWS targets the following applications:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera
  • Safari
  • Yahoo Messenger
  • MSN Messenger
  • Pidgin
  • FileZilla
  • Internet Download Manager
  • JDownloader
  • Trillian

The following screen of the original Hackhound Stealer shows options for building the malware:


This screen of the ISR Stealer builder was used by the actors behind the campaign.


ISR Stealer uses two executables to gather passwords stored on the machine: Mail PassView and WebBrowserPassView, both by Nirsoft. These apps gather passwords stored in mail clients and web browsers. Both of these files reside in the resources of the ISR Stealer. The panel location is also stored in the malware’s resources, in a simple encrypted form with SUB 0x02.

An encrypted URL.


A decrypted URL.

We did some more digging and found that the actors responsible for this malware have been active since the beginning of 2016, with the first sample spotted in the wild in January.

The following spear-phishing emails were sent to entice targets to download and execute the PWS:



The actors have been busy for several weeks, although we saw no activity during the Easter holiday. After “Easter break,” we noticed that they had slightly changed the panel. It now includes the string “Powered By NEW LINE OF *** **U TEAMS VERSION 2.1.”


One compromised website had more than 10 access panels receiving stolen passwords from the PWS. We observed that some of the targets of the spear phishing are companies that deal with machinery parts. The actors used some of the following filenames:

  • (RFQ__1045667machine-oil valves).exe
  • ButterflyCheckVALVES.exe
  • Ball Valves with BSPP conection.exe

These names lead us to believe that industrial espionage might be a motive of the actors.


We have also noticed that they are attaching the malware with a “.z” extension. This is likely because some popular ZIP file handlers will associate this file extension with their programs and allow users to extract it. Using .z also bypasses some popular cloud email file restrictions.


We contacted the website owners used by the actors and informed them of the compromise so that they could remove the panels.


McAfee detects this threat as PWS-FCGH. We advise you block .z file extensions at the gateway level. This step will prevent other malware from using this technique in their phishing campaigns.


Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top