{"id":51314,"date":"2016-07-21T16:55:36","date_gmt":"2016-07-21T23:55:36","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=51314"},"modified":"2025-06-03T21:41:41","modified_gmt":"2025-06-04T04:41:41","slug":"phishing-attacks-employ-old-effective-password-stealer","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-attacks-employ-old-effective-password-stealer\/","title":{"rendered":"Phishing Attacks Employ Old but Effective Password Stealer"},"content":{"rendered":"

A few months ago we received a sample from a customer that\u00a0turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the\u00a0access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage.<\/p>\n

\"_od001team_090316\"<\/p>\n

The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site.<\/p>\n

\"_od003team_090316\"<\/p>\n

This enabled us to see how the back-end of the panel works. The Zip file contains\u00a0five\u00a0files:<\/p>\n

\"od004team_090316\"<\/p>\n

The three files of interest are config.php, index.php, and install.php.<\/p>\n

Config.php contains the password for the MySQL server they will set up.<\/p>\n

\"od005team_090316\"<\/p>\n

Install.php creates the database\u00a0and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code:<\/p>\n

\"od006team_090316\"<\/p>\n

We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the\u00a0popular PWS Hackhound Stealer, which was released in 2009.<\/p>\n

We also found this warning at the end of the code:<\/p>\n

\"od007team_090316\"<\/p>\n

Surely they would have remembered to\u00a0delete this file!<\/p>\n

\"_od008team_090316\"<\/p>\n

The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data.<\/p>\n

\"od009team_090316\"<\/p>\n

It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.”<\/p>\n

\"od010team_090316\"<\/p>\n

This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded.<\/p>\n

\"_od014team_090316\"<\/p>\n

The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code.<\/p>\n

The PWS targets the following applications:<\/h2>\n