A new specimen of “infostealer” malware offers a disturbing feature: It monitors a target's browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim.
I mean, true. But I kind of feel like once you’ve got malware on your system, there are an awful lot of unpleasant things that it could manage to do. Would rather focus more on earlier lines of defense.
Once it’s installed, Stealerium is designed to steal a wide variety of data and send it to the hacker via services like Telegram, Discord, or the SMTP protocol in some variants of the spyware, all of which is relatively standard in infostealers. The researchers were more surprised to see the automated sextortion feature, which monitors browser URLs for a list of pornography-related terms such as “sex” and “porn," which can be customized by the hacker and trigger simultaneous image captures from the user’s webcam and browser. Proofpoint notes that it hasn’t identified any specific victims of that sextortion function, but suggests that the existence of the feature means it has likely been used.
The “try and sextort” thing might be novel, but if the malware is on the system, it’s probably already swiping all the other data it can anyway.
It sounds like in this case, the aim is to try to get people to invoke executables by presenting them as ordinary data files:
In the hacking campaigns Proofpoint analyzed, cybercriminals attempted to trick users into downloading and installing Stealerium as an attachment or a web link, luring victims with typical bait like a fake payment or invoice. The emails targeted victims inside companies in the hospitality industry, as well as in education and finance, though Proofpoint notes that users outside of companies were also likely targeted but wouldn’t be seen by its monitoring tools.
Like, I kind of feel that maybe a better fix is to distinguish, at a UI level, between “safe” opening and “unsafe” opening of something. Maybe “safe” opening opens content in a process running in a container without broader access to the host or something like that, and maybe it’s the default. That’s what mobile OSes do all the time. Web browsers don’t — shouldn’t — just do unsafe things on the host just because someone viewed something in a browser — they have a restricted environment.
In a world that worked like that, you need to actively go out of your way to run something off the Internet outside of a containerized environment.
Don’t leave cameras uncovered. Webcam covers are cheap. Tape works too.
I mean, true. But I kind of feel like once you’ve got malware on your system, there are an awful lot of unpleasant things that it could manage to do. Would rather focus more on earlier lines of defense.
The “try and sextort” thing might be novel, but if the malware is on the system, it’s probably already swiping all the other data it can anyway.
It sounds like in this case, the aim is to try to get people to invoke executables by presenting them as ordinary data files:
Like, I kind of feel that maybe a better fix is to distinguish, at a UI level, between “safe” opening and “unsafe” opening of something. Maybe “safe” opening opens content in a process running in a container without broader access to the host or something like that, and maybe it’s the default. That’s what mobile OSes do all the time. Web browsers don’t — shouldn’t — just do unsafe things on the host just because someone viewed something in a browser — they have a restricted environment.
In a world that worked like that, you need to actively go out of your way to run something off the Internet outside of a containerized environment.
Yes. But one less thing it can do.