August Stealer
August Stealer is a piece of malware that was offered for sale in October 2016 and was reported to be part of many information-collecting campaigns since. The August Stealer is a Trojan that is specialized in obtaining data from protected passwords storage, various FTP clients, email management applications, IM clients, Bitcoin wallets, Remote Desktop Connection files and several text format types. August Stealer was promoted as a suite of tools, which enable third parties to collect a wide range of information from compromised devices.
Table of Contents
How is the August Stealer Distributed?
One of the advantages of August Stealer is that it does not need elevated system access, as long as a threat actor already has infiltrated the targeted devices. The August Stealer can be downloaded to computers that are infected with Trojan Downloads and Backdoor Trojans considering that these programs support secure file download capabilities. Although, there are reports from some AV companies suggesting that August Stealer may be delivered through spam emails too.
What Data is Collected by the August Stealer
August Stealer may run from a hidden folder under the AppData directory and inject code into a legitimate process to remain hidden on machines as long as possible. Some of the latest versions of August Stealer are reported to recognize AV tools and debuggers; if such instruments are detected, the malware may attempt to disable protection layers or erase its files. The August Stealer is known to record cookies from popular Web browsers, which can be used to launch Man-in-the-Middle attacks and interfere with online banking operations. The August Stealer Trojan is documented to extract information that may include your social security number, logins for social media, email services, remote desktop accounts, notes and office documents saved on the local disks. The August Stealer Trojan extracts data from several classes of software including:
- Web Browsers:
- FTP Clients:
- Email Clients:
- IM Clients:
Amigo Browser; Bromium; Chromium; Comodo IceDragon; CoolNovo Browser; Coowon; Dooble Browser; Google Chrome; Mail.Ru Browser; Mozilla Firefox; Opera Browser; RockMelt Browser; SRWare Iron; Torch Browser; UC Browser; Vivaldi Browser; Yandex Browser.
CoreFTP; CuteFTP; FileZilla; SmartFTP; Total Commander; WinSCP.
Microsoft Outlook (versions before 2013) and Mozilla Thunderbird (including latest versions).
Pidgin; Psi (XMPP client); Windows Live (abandoned).
The August Stealer can Be Hard to Spot, but You can Take Steps to Hinder Potential Attacks
Researchers note that the August Stealer malware encrypts incoming and outgoing network transmissions, which can make its detection harder. Also, affected users are not likely to notice the presence of the malware as it demands limited processing power. PC users are encouraged to keep track of their IM client logins, devices associated with their preferred online services, use two-factor authentication options whenever possible, and scan their machines with a reliable anti-malware solution regularly.
