OLDBAIT

Description

(FireEye) OLDBAIT is a credential harvester that installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe. There is a missing space in the MediaPlayer directory and the filename is missing the ‘o’ character. Both the internal strings and logic are obfuscated and are unpacked at startup. Credentials for the following applications are collected: • Internet Explorer • Mozilla Firefox • Eudora • The Bat! (an email client made by a Moldovan company) • Becky! (an email client made by a Japanese company)

Both email and HTTP can be used to send out the collected credentials.

Note: In some places it is mistakenly named Sasfis, which however seems to be a completely different and unrelated malware family.

Names

Name
OLDBAIT
Sasfis

Category

Malware

Type

• Credential stealer

Information

• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
• https://www.secjuice.com/fancy-bear-review/

Mitre Attack

• https://attack.mitre.org/software/S0138/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait

Other Information

Uuid

487c6c1a-4baa-4586-85fb-032677f460be

Last Card Change

2022-12-29