Threat Research

New MintsLoader Campaign Spreads Stealc Malware Through Compromised PEC Mailboxes

Italy-Cert-agid
New MintsLoader Campaign Spreads Stealc Malware Through Compromised PEC Mailboxes
EXTRACT IOC
A new malware campaign uses MintsLoader via compromised PEC email accounts to distribute Stealc, an info-stealing malware targeting browsers and crypto wallets. Attackers used 150 domains and obfuscated JavaScript files to evade detection. (Affected: PEC email users, browsers, crypto wallets, email clients)

Keypoints :

  • A recent malware campaign exploits MintsLoader, a PowerShell-based loader.
  • Attack starts with emails sent from compromised PEC (certified email) accounts containing obfuscated JavaScript links.
  • 150 domains were used to generate initially inactive URLs activated during working hours.
  • The infection chain includes server-side checks that complicate payload detection.
  • Payload identified as Stealc, an information-stealing malware-as-a-service active since January 2023.
  • Stealc targets browsers, extensions, crypto wallets, and email clients to exfiltrate sensitive data.
  • File hosting service temp[.]sh was requested but unavailable, possibly indicating use of decoy files.
  • Countermeasures are ongoing with support from PEC managers and CERT-AGID sharing IoCs.
  • Users are advised to be cautious with PEC emails, especially those containing suspicious links.
  • Suspicious PEC emails can be forwarded to [email protected] for analysis.

MITRE Techniques :

  • Phishing (T1566) – Sending malicious emails from compromised PEC accounts containing obfuscated JavaScript links.
  • Command and Control (T1071) – Use of multiple domains to generate URLs for delivering payloads.
  • PowerShell (T1059.001) – Employing PowerShell-based loader (MintsLoader) to execute malicious scripts.
  • Data Exfiltration (T1041) – Stealc malware exfiltrates sensitive data such as browser info and crypto wallets.
  • Obfuscated Files or Information (T1027) – Use of obfuscated JavaScript files to evade detection.

Indicator of Compromise :

  • The article mentions multiple domains (150) used to generate URLs involved in the campaign.
  • Obfuscated JavaScript file links sent via compromised PEC emails serve as delivery mechanism indicators.
  • A hash of the Stealc malware sample was retrieved, useful for file-based detection.
  • Requests to the file hosting service temp[.]sh, although unavailable, indicate infrastructure used.
  • Suspicious URLs and email sender addresses linked to PEC accounts are key IOCs for detection.

Read more: https://cert-agid.gov.it/news/nuova-campagna-mintsloader-diffonde-il-malware-stealc-attraverso-caselle-pec-compromesse/

Views: 28

Tags: BROWSER, PHISHING, CRYPTO, EXFILTRATION, PAYLOAD, EMAIL