Alerts E-Threats

“Confidential Message” Infects Employees with Password Stealer

30,000 Servers May Be Exposed To Hackers

Malware writers target companies and public and private institutions by tricking employees into downloading a password stealer disguised as a confidential corporate document addressed to employees only.

The document in the form of a ZIP file is attached to an e-mail addressed to company employees under the confidentiality mark. The sender’s address is spoofed to make it look as if the mail is sent by DocuSign Electronic Signature Service, on behalf of the administrative department of the employer company.

Under the pretext of viewing or printing a confidential document, recipients in fact download a password stealer that snatches passwords of their e-mail client (TheBat, Thunderbird, Outlook, or IncrediMail) and website passwords – saved under popular browsers such as Chrome, Firefox, Opera or Internet Explorer – to send them to a remote attacker.

Using the remote desktop protocol (RDP), the Trojan attempts to log in into other machines by repeatedly trying out some weak but extremely frequent passwords, such as 123456, password, love, 123, password1, hello, monkey,  111111, iloveyou, online, and 123abc that are kept in a hard-coded list. People using stronger passwords are not vulnerable to these attempts.

The password stealer dubbed by Bitdefender as Trojan.Generic.KD.834485 also collects account information related to server names, port numbers, login IDs and FTP clients and cloud storage programs. All this data is posted on remote servers. Some variants may also download and execute further malware (including Zeus) on the compromised systems.

Cornell University, University at Buffalo and DocuSign have also issued warnings concerning this form of attack.

To stay safe from this type of scam, users are advised to keep their antivirus and other software updated, and be extra cautious with e-mails, especially if they include links and attachments. Plus, a strong password. Companies should also offer workers security trainings on a regular basis because, when an employee falls victim to an attack, the whole company is at risk.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.


Click here to post a comment