CP
cyberpings

NWHStealer - Infostealer Spreads via Fake VPN Sites

A new infostealer named NWHStealer is spreading through fake VPN sites and gaming mods. It's designed to steal passwords and cryptocurrency wallet information. Users must be cautious when downloading software to avoid falling victim.

Malware & RansomwareHIGHUpdated: Published:
Featured image for NWHStealer - Infostealer Spreads via Fake VPN Sites

Original Reporting

MWMalwarebytes Labs

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, a sneaky program is stealing your passwords and money by pretending to be safe downloads.

What Happened

NWHStealer is a new infostealer that has been detected in various campaigns. It spreads through fake VPN downloads, gaming mods, and other deceptive means. This malware is particularly concerning due to its ability to collect sensitive information, including browser data and cryptocurrency wallet details.

How It Works

The malware uses multiple methods to install itself, such as self-injection and DLL hijacking. It often masquerades as legitimate software, such as:

  • VPN installers
  • Hardware utilities
  • Mining software
  • Games and mods

Once installed, NWHStealer can collect saved passwords and other sensitive data from browsers like Chrome and Edge. It operates by injecting itself into processes like RegAsm, allowing it to execute its malicious payload without raising alarms.

Who's Being Targeted

This malware targets a broad audience, particularly those looking to download software from unofficial sources. Users of VPN services and gaming enthusiasts are at a higher risk, as attackers exploit their trust in these platforms.

Signs of Infection

Users may notice unusual behavior on their devices, such as:

🔴

Unrecognized browser extensions

🟡

Unexpected pop-ups or ads

🟠

Changes in browser

Changes in browser settings or homepage

How to Protect Yourself

To avoid falling victim to NWHStealer, consider these precautions:

Detection

  • 1.Download software only from official websites.
  • 2.Be cautious with downloads from platforms like GitHub or SourceForge.

Removal

  • 3.Always check file signatures and publisher details before running any downloaded files.
  • 4.Use security tools like Malwarebytes Browser Guard to block malicious URLs.

Indicators of Compromise (IOCs)

If you suspect infection, check for the following:

  • Malicious file hashes such as e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3.
  • Domains like vpn-proton-setup[.]com and newworld-helloworld[.]icu.
  • URLs from suspicious sources, particularly those linked to fake software.

By staying vigilant and following these guidelines, you can protect yourself from the risks posed by NWHStealer and similar malware.

🔒 Pro Insight

🔒 Pro insight: The use of DLL hijacking and fake software distribution methods highlights a significant shift in malware delivery tactics, making user education crucial.

MWMalwarebytes Labs
Read Original

Share

Related Pings

Preview image for AgingFly Malware - Targeting Ukraine's Government and Hospitals
Malware & Ransomware
HIGH

AgingFly Malware - Targeting Ukraine's Government and Hospitals

AgingFly malware has been detected in Ukraine, targeting government and hospital systems to steal sensitive data. This poses a serious security risk to users. Authorities recommend blocking certain file types to mitigate the threat.

BCBleepingComputer
Read PingRead Source
Preview image for n8n Webhooks Abused - Malware Delivered via Phishing Emails
Malware & Ransomware
HIGH

n8n Webhooks Abused - Malware Delivered via Phishing Emails

Threat actors are using n8n webhooks to deliver malware through phishing emails. This tactic has increased significantly, posing serious risks to users. Security teams must act to mitigate these threats.

THThe Hacker News
Read PingRead Source
Preview image for Autovista Ransomware Attack Causes Major Service Disruption
Malware & Ransomware
HIGH

Autovista Ransomware Attack Causes Major Service Disruption

Autovista is facing a ransomware attack that's disrupting services in Europe and Australia. Customers are advised to monitor updates and take precautions. The company is working to resolve the issue and restore applications.

REThe Register Security
Read PingRead Source
Preview image for Adware - Hackers Could Control 25,000 Endpoints Worldwide
Malware & Ransomware Widely Reported (4 sources)
HIGH

Adware - Hackers Could Control 25,000 Endpoints Worldwide

A sophisticated adware campaign attributed to Dragon Boss Solutions has compromised over 25,000 endpoints worldwide, raising significant security concerns due to its ability to disable antivirus software and exploit unsecured update channels.

SWSecurityWeek+3 more
Read PingRead Source
Malware & Ransomware
HIGH

Brickstorm Malware - Joint Analysis Report Released

A new report reveals that PRC state-sponsored hackers are using Brickstorm malware for persistent access in government and IT systems. Organizations are urged to act on the provided IoCs.

CCCanadian Cyber Centre News
Read PingRead Source
Preview image for Microsoft Enhances Windows Protections Against RDP Threats
Malware & Ransomware Widely Reported (3 sources)
HIGH

Microsoft Enhances Windows Protections Against RDP Threats

Microsoft has enhanced Windows security to protect against phishing attacks exploiting RDP files, introducing new warnings and disabling risky shared resources by default.

BCBleepingComputer+2 more
Read PingRead Source