A new malware threat has been discovered that is being distributed using phishing emails. BluStealer malware can perform a range of malicious activities including logging keystrokes to obtain credentials, steal cryptocurrency and banking information, and exfiltrates sensitive files from victims’ devices via SMTP.

BluStealer malware was first identified by an infosec researcher in May and was initially named a310logger. Initially, BluStealer malware was being used in limited attacks, although it is now being distributed more widely in larger phishing campaigns. In mid-September, one phishing campaign was conducted targeting 6,000 users in a single day. The malware has been distributed in several countries, mainly Argentina, Czech Republic, Italy, Greece, Romania, Spain, Turkey, the United Kingdom and the United States.

As with many other malspam campaigns, the emails used to distribute the malware use social engineering techniques to trick recipients into opening a malicious attachment. The attached file is seemingly benign but delivers the BluStealer payload.

A variety of lures have been used in the phishing campaigns and multiple companies have been impersonated. The antivirus company Avast intercepted messages that impersonated the Mexican metal producer General de Perfiles and the international courier firm DHL.

The DHL phishing emails target businesses and closely resemble genuine email communications from the firm. The emails claim a package has been delivered to head office since the recipient was unavailable. The emails include an attached form which users are required to complete to reschedule a delivery; however, opening the attached file will allow a script to run that results in BluStealer malware being silently downloaded and executed. Avast says the General de Perfiles email also targets businesses and claims the recipient has overpaid an invoice and the money will be applied against the next purchase. Again, the user is required to open an attachment. The emails contained .iso attachments and download URLs on the Discord Content Delivery Network, along with a C# .NET loader.

The core code of the malware is written in Visual Basic and there is a C# .NET loader. The components were different in each of the phishing campaigns which suggests it is possible to customize each element individually. The .NET loader has been used by other malware families including Agent Tesla, Formbook, and Oski Stealer.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

The easiest way to block BluStealer malware is to implement an advanced spam filtering solution such as SpamTitan. SpamTitan is constantly updated by multiple threat intelligence feeds to ensure new malware and phishing threats are detected and blocked. Dual anti-virus engines are used to detect malware, and sandboxing is used to conduct an in-depth analysis of suspicious attachments that pass inspection by the antivirus engines. Sandboxing ensures zero-minute threats are also detected and blocked. SpamTitan also incorporates SPF, DKIM, and DMARC to block email impersonation attacks.

To find out more about SpamTitan Email Security and how it can help to protect your business from malware and email spam, give the TitanHQ team a call. SpamTitan is available on a 100% free 14-day trial (no credit card required) and product demonstrations can be scheduled on request.