Broado Info Stealer

Oct. 14, 2024

Mimecast Threat Researchers have been monitoring and investigating a sophisticated phishing campaign targeting marketing organizations. The novel campaign sees threat actors impersonating a well-known brand, in attempts to lure victims into downloading malicious files from Dropbox. These malicious file ultimately seek to deliver malware in the form of Broado Stealer.

Disseminated via phishing and spear-phishing emails, the malware utilises GitHub and a Singapore-based VPS server to host and distribute its code. Developed by threat actors based in Vietnam, Braodo Stealer exfiltrates internet browser data via Telegram bots. The stolen information includes credentials from financial platforms, as well as accounts from GitHub, Amazon AWS, and other platforms.

Analysis from Cyfirma details that the malware is obfuscated multiple times and uses batch scripts, PowerShell, executables (exe), HTA, and PDF files to spread. Multiple GitHub repositories are used to host the malicious code, while multiple Telegram bots are used for data exfiltration. It operates stealthily in the background, collecting and archiving data, which is then sent to Telegram bots. The full details of the malware’s capabilities can be read from Cyfirma’s threat research.

Mimecast Protection

We have identified several attributes in the campaigns which have been added to our detection capabilities.

Targeting

US and UK, Predominantly Media, Branding, Marketing, and Digital Advertising sectors.

IOCs

Sender Domains:

• ads-hogan[.]com
• hoganhr[.]com
• hrhogan[.]com
• mkt-hogan[.]com
• partner-hogan[.]com
• usa-hogan[.]com

Recommendations

• Ensure you have an Attachment Protect policy set to protect the organization.
• Search through your email receipt logs to determine if any of the sending domains have been delivered to your users.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.