Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    “Mr. Anon” Infostealer Attacks Start with a Fake Hotel Booking Query Email

    Mr Anon Infostealer AttacksThis new attack is pretty simple to spot on the front, but should it be successful in launching its’ malicious code, it’s going to take its victims for everything of value they have on their computer.

    The new Mr. Anon infostealer captures much more than just browser caches and passwords. It also uses basic social engineering tactics that prove to be effective enough to make attacks successful.

    It begins with a simple hotel booking email seemingly sent to the victim recipient by mistake, using a subject of “December Room Availability Query” and what appears to be a PDF booking attachment.

    fig03-mranon-phishing-email

    Source: Fortinet

    Once opened, the PDF pretends to need a Flash update, requiring the user to interact and launch the malicious attachment, which is a combination of a .NET executable, embedded .zip files, PowerShell scripts, and a downloaded payload – a python script.

    This attack has a few interesting aspects to it. First is the social engineering tactics used. There’s the email premise of the room request, but then there’s also a step when the python script is run; the attackers purposely post a window with the title of “File Not Supported” with a status message indicating “Not Run: python.exe.” to make the victim think the script never ran (helping to maintain a state of stealth).

    There’s also all the obfuscation done to evade detection. The malicious code is, in essence, the python executable. This file is encoded with cx-freeze, requires being downloaded from code held within a .zip file that is, in turn, embedded within the .exe attachment – all to avoid detection. The use of PowerShell itself is another step in attempting to avoid detection, given it’s a part of the Windows OS.

    Lastly, there’s the actual infostealer capabilities of this attack. The Mr. Anon infostealer captures more info that most of its predecessors:

    • Browser data
    • Desktop-based digital wallets
    • Password or connection-related browser extensions
    • Messages
    • VPN clients
    • Browser-based digital wallets
    • Data from within 26 different file types

    Any data gathered is compressed into a single .zip file and then uploaded to a public file-sharing website.

    Because users habitually maintain passwords to cloud-based corporate resources within their browsers, it’s necessary to protect against this attack by educating users through new-school security awareness training on how to spot this attack and avoid engaging with included attachments or links.

    KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

     

    Return To KnowBe4 Security Blog

    Browser Password Inspector

    Concerned with your network being hacked or becoming a victim of a data breach? KnowBe4’s Browser Password Inspector (BPI) is a new and complimentary IT security tool that allows you to scan and analyze your organization’s potential risk of credential theft and account takeovers associated with users saving passwords in Chrome, Firefox, and Edge web browsers.

    BPI-Monitor-1Here's how it works:

    • Inspects available Windows user accounts on your network for browser-saved passwords
    • Checks against weak passwords and password reuse currently active among users in your Active Directory
    • Reports on the accounts affected and does not show/report on actual passwords
    • Simply download the install and run it
    • Results in a few minutes!

    Get BPI Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/browser-password-inspector

    Topics: Social Engineering, Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews