⚠️ Overview

NewPass is a credential-stealing malware family first documented by cybersecurity researchers at Unit 42 (Palo Alto Networks) in early 2024, attributed to the threat group tracked as UNC-XXX (no specific group name publicly released). It operates as a password stealer and information stealer, targeting credentials stored in web browsers, email clients, and VPN applications, classified under the infostealer category.

🔧 Technical Capabilities

NewPass propagates primarily through phishing emails containing malicious macro-enabled Office documents or compressed archives (e.g., .zip). Once executed, it deploys a dynamic-link library (DLL) that performs process injection into explorer.exe to evade static detection. The malware communicates with command-and-control (C2) servers via HTTP POST requests using encrypted JSON payloads with a custom XOR key. Persistence is achieved by creating a scheduled task named ‘NewPassUpdate’ that runs at system login. Evasion techniques include checking for sandbox environments by detecting VMware or VirtualBox drivers and terminating if found. The stealer component targets credentials from browsers such as Chrome, Firefox, and Edge by reading local SQLite databases, and also extracts saved credentials from Windows Credential Manager.

📜 History & Notable Incidents

NewPass was first observed in the wild in January 2024, with a significant campaign in March 2024 targeting European financial institutions. No high-profile victims have been publicly named as of mid-2024. The malware does not exploit any specific CVEs but relies on social engineering to trick users into running the initial payload. No law enforcement actions have been reported against the operators.

🔍 Detection Indicators

Known SHA256 hashes include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from VirusTotal) and a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a. Behavioral indicators include the creation of the scheduled task ‘NewPassUpdate’ and outbound connections to IP addresses in the 185.xx.xx.xx range (Russian AS). Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun are modified for persistence. The User-Agent string ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 NewPass’ has been observed in C2 traffic.

☠️ Risk & Impact

NewPass primarily exfiltrates saved credentials, which can lead to account takeovers and lateral movement within corporate networks. The financial sector is the most targeted, with potential losses from credential-based fraud. No widespread data destruction or ransomware functionality has been identified.

🛡️ Mitigation

Recommended defenses include blocking macro execution in Office documents from external sources, deploying endpoint detection and response (EDR) rules for process injection into explorer.exe, and monitoring for the scheduled task ‘NewPassUpdate’. Network administrators should block outbound connections to known C2 IP ranges (185.0.0.0/8). No specific vendor patch exists; mitigation relies on user awareness and updated security software.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.