Cybersecurity researchers have recently uncovered a sophisticated phishing campaign that targeted users by posing as a legitimate VPN service called “WarpVPN.” The campaign, known as the Cheana Stealer, distributed custom-tailored malware for Windows, Linux, and macOS operating systems.
The fake website created by the threat actors appeared to provide users with instructions on how to install specific programs on their platforms. However, once users fell victim to this phishing attack and installed the malware, the stealer began extracting valuable data such as browser extensions related to cryptocurrencies, independent crypto wallets, saved browser password details, logins, cookies, SSH keys, macOS passwords, and Keychain information.
Researchers at Cyble Research and Intelligence Lab dubbed this malicious software “Cheana,” and it targets Windows and macOS users who utilize VPN services. The attackers behind this campaign utilized a Telegram channel with over 54,000 subscribers to distribute the malware through a phishing site that impersonated a VPN service.
The Cheana Stealer campaign employed platform-specific scripts like “install.bat,” “install-linux.sh,” and “install.sh” to target Windows, Linux, and macOS users. In Windows systems, the PowerShell commands downloaded the malicious package “hclockify-win” after checking for Python and installing dependencies.
The stealer specifically targeted cryptocurrency wallets such as MetaMask, Trust Wallet, Bitcoin, and Monero, as well as browser extensions and stored passwords. It used various techniques to decrypt credentials from Chrome and Firefox browsers and exfiltrated the stolen data via HTTPS POST requests to a specific server URL.
The campaign also utilized obfuscation techniques, such as masquerading as a legitimate Cloudflare Warp application, and targeted popular browsers like Chrome, Firefox, Brave, and Edge. The attackers were able to manage the exfiltrated data using a Django Rest Framework interface, indicating a sophisticated operation that aims to steal sensitive information from a wide range of users.
The Cheana Stealer campaign is believed to have changed hands in 2021 and employs a strategy that first builds user trust before engaging in malicious activities. By targeting multiple operating systems with customized malware payloads, the attackers ensure successful execution across diverse environments, increasing the reach and impact of their operation.
To protect against such sophisticated phishing campaigns, cybersecurity experts recommend downloading software only from trusted sources, educating users about phishing risks, verifying the authenticity of VPN services, using robust endpoint protection, monitoring and blocking communication with Command and Control (C&C) servers, enabling Multi-Factor Authentication (MFA) on all accounts, and regularly testing incident response plans.
In conclusion, the Cheana Stealer campaign highlights the evolving tactics used by threat actors to infiltrate systems and steal sensitive information. By targeting multiple platforms and employing advanced obfuscation techniques, the attackers are able to reach a wider audience and maximize the impact of their malicious activities. It is crucial for organizations and individuals to remain vigilant and implement robust cybersecurity measures to defend against such threats.