Sober steals your passwords

For the last 24 hours or so we’ve seen a number of new Email-Worm.Win32.Sober variants, some of which we have got an alert out for.

We went from Sober.u to Sober.z about four hours ago.

These Sobers are pretty much the same like before, for instance they still use exclusive lock and the possibility to download files.

What’s interesting is that these Sobers also drop not-a-virus:PSWTool.PassView.162 onto the system.

As the name suggests this program is a tool which is able to show certain passwords.

In this case the program can show the passwords stored by Internet Explorer and Outlook.

As nor Sober nor PSWTool.PassView.162 can send out the obtained info from PassView, it is likely that the file(s) that Sober is (possibly) going to download will have this ability.

Naturally we’re closely monitoring the situation and we will keep you updated in case something interesting comes along.

Sober steals your passwords

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox