The bait is running out of iCloud space and a 50GB gift. Objective: steal sensitive personal data and money.
Fake RFQ carries a BluStealer campaign. The compressed attachment of the “REQUEST FOR QUOTATION” email contains an exe: the malware. Stolen data is exfiltrated via Telegram API
BluStealer passes from a fake Request for Quotation from Oman.
The compressed attachment of the “REQUEST FOR QUOTATION” email contains an exe: the malware. Stolen data is exfiltrated via Telegram API.
Blustealer, aka DarkCloud, is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP, browsers, mail clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.