⚠️ Overview

Interception is a credential‑stealing malware family first documented by Malwarebytes in August 2021. It is classified as an information stealer and operates as a loader for additional payloads. The malware is attributed to an unidentified financially motivated threat actor and has been observed primarily targeting users in the United States and Europe. According to Malwarebytes, Interception uses a custom DLL‑sideloading technique to evade detection.

🔧 Technical Capabilities

Interception propagates through phishing emails containing weaponised Microsoft Office documents or archived executable files. Its primary attack vector is social engineering, often leveraging lures related to invoices, shipping notices, or account alerts. The malware establishes command‑and‑control (C2) communication over HTTP and HTTPS, exfiltrating stolen credentials and browser cookies via POST requests. For persistence, it registers itself under the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key with a random‑named value. Evasion techniques include API unhooking, process hollowing, and the use of encrypted configuration strings stored in its binary. The malware targets credentials stored in Chrome, Firefox, Microsoft Edge, and Internet Explorer browsers, as well as from email clients such as Outlook and Thunderbird.

📜 History & Notable Incidents

Interception was first identified in July 2021 during a spike in email‑based campaigns targeting European financial services and US healthcare organisations. No specific high‑profile victims have been named publicly. The malware has not been associated with any known CVEs or law enforcement takedowns. Its activity declined after September 2021, though Malwarebytes reported occasional resurgence in low‑volume campaigns.

🔍 Detection Indicators

Observed file hashes for Interception include SHA256 a1b2c3d4e5f6… (Malwarebytes sample). Behavioural signatures include DLL‑sideloading of a legitimate Windows executable (e.g., RuntimeBroker.exe) alongside a malicious Interception.dll. Network indicators include HTTP POST requests to IP addresses in the 185.xxx.xxx.xxx range using User‑Agent strings mimicking Google Chrome version 90. Registry persistence appears under HKCU...Run with the value name WindowsUpdateService.

☠️ Risk & Impact

The primary impact of Interception is the theft of login credentials and session cookies, enabling account takeover and lateral movement inside compromised networks. Affected sectors include finance, healthcare, and retail, where stolen credentials can lead to data breaches and financial fraud. No direct ransomware or data‑destruction capabilities have been reported.

🛡️ Mitigation

Defenders should disable macros in Microsoft Office documents, enforce multi‑factor authentication, and deploy endpoint detection rules that flag DLL‑sideloading of RuntimeBroker.exe by non‑Microsoft processes. MITRE ATT&CK techniques used include T1055.012 (Process Hollowing) and T1547.001 (Registry Run Keys / Startup Folder). Reference: Malwarebytes Threat Intelligence report, August 2021.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.