Mranon Stealer Spreads Via Email With Fake Hotel Booking PDF
Fortinet News, Thursday, December 7,2023
FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file.
The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer. This malware is a Python-based information stealer compressed with cx-Freeze to evade detection. MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions. Figure 1 illustrates the attack flow.