August malware was first noticed in November (2016). It was discovered by the security researchers from the Proofpoint company. This new malware is an info-stealer type of malware, thus, its primary function is to leak the data from the compromised system. In other words, August info-stealer is used for reconnaissance purposes. The malware was targeted at a number of vendors, precisely, at the managerial and the customer service staff. According to the engineers from Trustwave, August utilizes similar techniques to that of the Carbanak malware, which has recently plagued the hospitality industry global-wide.
How is August Malware Spread?
August malware is associated with the group of hackers tagged as TA530, who have been active since quite some time – almost a year now. The group has been tracked by Proofpoint since the January of 2016. These hackers employ social engineering by sending phishing e-mails to the accounts of highly valued employees, that are, executables, in most of the instances. Thus, August virus can legitimately be called a trojan. Its targets are picked according to the information collected from Linkedin.
The fake spam e-mails revolve around the topic of the complaints made by the customers. The subject lines of these e-mails are the following:
Erroneous charges from [recipient’s domain]
[recipient’s domain] – Help: Items vanish from the cart before checkout
[recipient’s domain] Support: Products disappear from the cart during checkout
Need help with order on [recipient’s domain]
Duplicate charges on [recipient’s domain]
Some examples of these scam e-mails:
The text of the e-mail:
I am writing to question a couple charges on my credit card that point to you guys, which I have definitely no idea about. Please see more details of the incident including last 4 digits of my credit card as well as the transactions. I will have no option but to escalate this issue with the bank declaring this transaction as fraud should not I get an answer today.
Thanks for your help.
The text of the e-mail:
I am getting ready to place an order on […]. Com, but having issues with5 items. I have selected in the enclosed document everything I want to buy, can you take a look and confirm if you have it in stock? There is also a Screen-Shot of the cart inserted in the document.
I appreciate your help.
As you can see from the first e-mail presented above, even though, written in a relatively polite manner, the e-mail is quite demanding. It asks to look for the details of the incident, which are, of course, enclosed into the attachment, which is a Word document, containing malicious macro script, which should be enabled.
If it gets enabled, the code executes a PowerShell script, which, in turn, downloads the August malware on the system without, actually, installing a file on the computer.
The Malicious Commands August Infostealer Performs on the Infected PC
August is coded in .NET, obfuscated with Confuser (5). This malware is capable of scanning the system for the files of the certain type to stream them to its C&C (Command and Control) server. It can also steal BTC (bitcoin) wallet details, passwords and cookies stored on Chrome and Firefox browsers, passwords saved on Outlook and Thunderbird e-mail clients. The malware can also rob login details to such FTP clients as FileZilla, WinSCP, SmartFTP, CoreFTP and TotalCommander, and take RDP (Remote Desktop Protocol) configuration files away. August trojan can collect the information of the local operating system, which encompasses the ID of the hardware, the name of the system installed, and its user name. All this data is sent to the C&C server, controlled by the TA530 group. The hackers view the information gathered through a web-based control panel.
Due to its anti-detection capability August malware can possibly bypass reverse engineering software and, even, antivirus engines.