“Mr. Anon” Infostealer Attacks Start with a Fake Hotel Booking Query Email

Mr Anon Infostealer AttacksThis new attack is pretty simple to spot on the front, but should it be successful in launching its’ malicious code, it’s going to take its victims for everything of value they have on their computer.

The new Mr. Anon infostealer captures much more than just browser caches and passwords. It also uses basic social engineering tactics that prove to be effective enough to make attacks successful.

It begins with a simple hotel booking email seemingly sent to the victim recipient by mistake, using a subject of “December Room Availability Query” and what appears to be a PDF booking attachment.


Source: Fortinet

Once opened, the PDF pretends to need a Flash update, requiring the user to interact and launch the malicious attachment, which is a combination of a .NET executable, embedded .zip files, PowerShell scripts, and a downloaded payload – a python script.

This attack has a few interesting aspects to it. First is the social engineering tactics used. There’s the email premise of the room request, but then there’s also a step when the python script is run; the attackers purposely post a window with the title of “File Not Supported” with a status message indicating “Not Run: python.exe.” to make the victim think the script never ran (helping to maintain a state of stealth).

There’s also all the obfuscation done to evade detection. The malicious code is, in essence, the python executable. This file is encoded with cx-freeze, requires being downloaded from code held within a .zip file that is, in turn, embedded within the .exe attachment – all to avoid detection. The use of PowerShell itself is another step in attempting to avoid detection, given it’s a part of the Windows OS.

Lastly, there’s the actual infostealer capabilities of this attack. The Mr. Anon infostealer captures more info that most of its predecessors:

  • Browser data
  • Desktop-based digital wallets
  • Password or connection-related browser extensions
  • Messages
  • VPN clients
  • Browser-based digital wallets
  • Data from within 26 different file types

Any data gathered is compressed into a single .zip file and then uploaded to a public file-sharing website.

Because users habitually maintain passwords to cloud-based corporate resources within their browsers, it’s necessary to protect against this attack by educating users through new-school security awareness training on how to spot this attack and avoid engaging with included attachments or links.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Browser Password Inspector

Concerned with your network being hacked or becoming a victim of a data breach? KnowBe4’s Browser Password Inspector (BPI) is a new and complimentary IT security tool that allows you to scan and analyze your organization’s potential risk of credential theft and account takeovers associated with users saving passwords in Chrome, Firefox, and Edge web browsers.

BPI-Monitor-1Here's how it works:

  • Inspects available Windows user accounts on your network for browser-saved passwords
  • Checks against weak passwords and password reuse currently active among users in your Active Directory
  • Reports on the accounts affected and does not show/report on actual passwords
  • Simply download the install and run it
  • Results in a few minutes!

Get BPI Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews