Threat Research

MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF | FortiGuard Labs

Fortinet

FortiGuard Labs analyzed a phishing campaign that uses a fake hotel booking PDF to drop a .NET downloader which unpacks a PowerShell script and ultimately executes a cx_Freeze-packed Python stealer called MrAnon Stealer. The stealer harvests browser credentials, cryptocurrency wallets/extensions, screenshots, and files, then archives and uploads the data to a public file host and posts the link to a Telegram channel. #MrAnonStealer #anonbin_ir

Keypoints

  • Phishing emails with subject “December Room Availability Query” deliver a malicious PDF that contains an embedded downloader URL.
  • The PDF drops a .NET executable (uses PowerGUI/ScriptRunner.dll) which extracts and executes an embedded PowerShell script (down2.ps1).
  • down2.ps1 presents a fake Windows Form, downloads a zip from anonbin[.]ir, extracts a cx_Freeze-packed python.exe, and launches the Python payload.
  • The Python payload (MrAnon Stealer) terminates wallet/browser processes, captures screenshots, and harvests browser data, wallet data, messengers, VPN clients, and targeted files from user directories.
  • Stolen data are compressed into a password-protected archive (Log (Username).zip), uploaded to store1.gofile[.]io, and the download link plus system info are sent to the attacker’s Telegram channel via a bot token.
  • Telemetry shows the downloader URL was predominantly queried from Germany with increased activity in November 2023.
  • The campaign previously distributed other cx_Freeze-packed Python stealers (Cstealer) before switching to MrAnon Stealer in October–November.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – PDF attachment used to deliver downloader, e.g., ‘December Room Availability Query.’ and ‘attached malicious PDF file has a downloader link hidden in the stream object.’
  • [T1105] Ingress Tool Transfer – The PDF-embedded downloader retrieves a .NET executable and additional payloads from the domain ‘anonbin[.]ir’ (‘the script retrieves a payload from the identical domain, “anonbin[.]ir”’).
  • [T1059.001] PowerShell – The .NET executable extracts and runs a PowerShell script (‘unpacking an embedded script named “down2.ps1” and executing it using PowerShell.exe’).
  • [T1059.006] Python – The final payload is a cx_Freeze-packed Python executable that invokes malicious Python code via PyObject_CallObject (‘uses “PyObject_CallObject” to invoke the malicious Python code’).
  • [T1027] Obfuscated Files or Information – Use of cx_Freeze to pack and disguise the Python stealer to evade detection (‘a Python-based information stealer compressed with cx-Freeze to evade detection’).
  • [T1555.003] Credentials from Web Browsers – The stealer harvests browser credentials, sessions, and browser extensions across many browsers (‘steals its victims’ credentials, system information, browser sessions, and cryptocurrency extensions’).
  • [T1113] Screen Capture – Malware captures a screenshot using ImageGrab and saves it as ‘Screenshot (Username ).png’ (‘uses “ImageGrab” to capture a screenshot, saving it with the filename “Screenshot (Username ).png.”’).
  • [T1560] Archive Collected Data – Stolen files are compressed and password-protected into ‘Log (Username).zip’ before upload (‘compresses the stolen data, secures it with a password, and designates the filename as “Log (Username).zip.”’).
  • [T1102] Web Service – Exfiltration via public file-sharing and Telegram bot: upload to ‘store1.gofile[.]io/uploadFile’ and posting to Telegram using a bot token (‘uploaded to a public file-sharing website using the URL “hxxps://store1[.]gofile[.]io/uploadFile”’ and ‘sent to the attacker’s Telegram channel using the bot token “6799784870:AAHEU6EUdnAjRcH8Qq0TCokNtVJSL06VmbU.”’).

Indicators of Compromise

  • [Hostnames] downloader/C2 and product site – anonbin[.]ir, anoncrypter[.]com
  • [URLs] exfiltration & payload hosting – hxxps://store1[.]gofile[.]io/uploadFile, hxxp[:]//anoncrypter[.]com
  • [File hashes] malicious payload samples – 075e40be20b4bc5826aa0b031c0ba8355711c66c947bbbaf926b92edb2844cb0, 48e09b8043c0d5dfc2047b573112ead889b112108507d400d2ce3db18987f6c9, and 5 more hashes
  • [Filenames] staged and dropped files – down2.ps1, Ads-Pro-V6-Free-Trail (1).zip, python.exe, adobe.exe, Log (Username).zip
  • [Credentials/API token] Telegram exfiltration token – bot token ‘6799784870:AAHEU6EUdnAjRcH8Qq0TCokNtVJSL06VmbU’ used to post stolen-data links to a Telegram channel

The technical infection chain begins with a phishing PDF containing an embedded downloader URL; when opened, the PDF decodes and retrieves a .NET executable (observed as adobe.exe) that leverages ScriptRunner.dll/PowerGUI to extract a Scripts.zip resource. That resource is written to a user temporary path (%USERPROFILE%AppDataLocalTempQuest SoftwarePowerGUI) and contains down2.ps1, which the .NET loader invokes via PowerShell.exe to continue the deployment.

down2.ps1 creates a deceptive Windows form to hide activity, downloads a zip archive (e.g., Ads-Pro-V6-Free-Trail (1).zip) from anonbin[.]ir, extracts it to the temp folder, and starts a cx_Freeze-packed python.exe. The packed executable locates liblibrary.zip, loads the packaged Python modules (including cstgversion__main__.pyc), and runs the main data-stealing routines.

The Python stealer (MrAnon) terminates specific wallet and browser processes, captures screenshots, enumerates and harvests browser profiles, extensions, desktop wallets, messenger and VPN client data, and files from standard user directories. It archives collected files into a password-protected Log (Username).zip, uploads the archive to a public file host (store1.gofile[.]io), and sends the download link and system metadata to the attacker’s Telegram channel using the included bot token.

Read more: https://www.fortinet.com/blog/threat-research/mranon-stealer-spreads-via-email-with-fake-hotel-booking-pdf

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint