Broado Info Stealer

    Oct. 14, 2024

    Key Points

    What you'll learn in this article

    • Targeting Media, Branding, Marketing, and Digital Advertising sectors in the US and UK.
    • Highly targeted with Approximately 100 messages per month.
    • Primary intent is to deliver malware to obtain credentials to GitHub, Amazon AWS and other platforms.

    Mimecast Threat Researchers have been monitoring and investigating a sophisticated phishing campaign targeting marketing organizations. The novel campaign sees threat actors impersonating a well-known brand, in attempts to lure victims into downloading malicious files from Dropbox. These malicious file ultimately seek to deliver malware in the form of Broado Stealer.

    Disseminated via phishing and spear-phishing emails, the malware utilises GitHub and a Singapore-based VPS server to host and distribute its code. Developed by threat actors based in Vietnam, Braodo Stealer exfiltrates internet browser data via Telegram bots. The stolen information includes credentials from financial platforms, as well as accounts from GitHub, Amazon AWS, and other platforms.

    Analysis from Cyfirma details that the malware is obfuscated multiple times and uses batch scripts, PowerShell, executables (exe), HTA, and PDF files to spread. Multiple GitHub repositories are used to host the malicious code, while multiple Telegram bots are used for data exfiltration. It operates stealthily in the background, collecting and archiving data, which is then sent to Telegram bots. The full details of the malware’s capabilities can be read from Cyfirma’s threat research.

    Mimecast Protection

    We have identified several attributes in the campaigns which have been added to our detection capabilities.

    Targeting

    US and UK, Predominantly Media, Branding, Marketing, and Digital Advertising sectors.

    IOCs

    Sender Domains:

    • ads-hogan[.]com
    • hoganhr[.]com
    • hrhogan[.]com
    • mkt-hogan[.]com
    • partner-hogan[.]com
    • usa-hogan[.]com

    Recommendations

    • Ensure you have an Attachment Protect policy set to protect the organization.
    • Search through your email receipt logs to determine if any of the sending domains have been delivered to your users.
    • Educate end users around the continued trend of legitimate tools being used in malicious campaigns.
    Back to Top