Adamantium Stealer

A new attack campaign targeting Russian-based users and delivering the potent Adamantium Stealer has been detected by infosec researchers. The initial attack vector is a weaponized scan image named 'scan-100218.docm.' The file is crafted to appear as if it is being sent by the state-owned Russian bank SberBank. Users tricked into interacting with the file will trigger a custom VBS loader. The next step sees the execution of a PowerShell script chain that ultimately drops the Adamantium Stealer on the compromised system.

This infostealer threat is designed to extract sensitive private data from Chromium-based Web browsers. The full list of targets includes 22 different browser - Google Chrome,

Opera, Chromium, Vivaldi, Brave-Browser, Epic Privacy Browser, Atom, Amigo, Orbitum, Kometa, Yandex (older versions), Comodo Dragon, Torch, Slimjet, 360Browser, Sputnik, Maxthon3, K-Melon, Nichrome, CocCoc Browser, Uran and Chromodo.

The Adamantium Stealer malware can access, collect, and then exfiltrate various sensitive and confidential user data that has been saved into the browser. Account passwords, credit/debit card details, browsing history, bookmarks, site cookies can all be breached. In addition, any autofill data can also be collected and exported.

The breadth of potentially compromised information leaves the user exposed to various security risks. The attackers can plan a more targeted spear-phishing attack, use the harvested credentials to escalate their reach and take over additional accounts, make illicit purchases, and more.