Attackers are particularly drawn to user credentials for VPN services, which are collected by infostealers such as: RedLine, Phoenix, Jester Stealer, Saintstealer. The Phoenix stealer, for instance, can collect data from browsers, VPN tools, Discord, file system locations, and crypto wallets, and then send it to a remote server. Curiously, this malware was disguised as another, equally illegal type: what users initially downloaded was a program to conduct DDoS attacks.
Raccoon Malware Aims to Steal Credentials of People Who Use Popular Apps
RedLine, another widely used piece of malware, aims to steal browser credentials, VPN passwords, payment card and crypto wallet data, cookies, and other information. User data is often sold later on dark web forums: for example, more than half of the credentials up for sale on one such platform was obtained by the sellers using RedLine. What's more, the price for access to one account starts at five dollars, but the subsequent damage to the target organization can run into the millions of dollars if attackers compromise an employee's credentials for remote connection to the corporate network.
Earlier, we predicted a rise in the number of attacks on online banking users. Most of the infostealers being spread are banking trojans, and their share of all malware used in attacks on individuals is 35%. We advise you to be careful when installing new apps and take time to read the reviews: malware can be lurking inside even seemingly harmless programs. For example, the FluBot banking trojan was distributed as Flash Player, but once on the victim device and armed with the necessary permissions, it could steal online banking credentials and intercept text messages and one-time passwords. Another banking trojan, TeaBot, has appeared repeatedly on Google Play since December 2021 under the guise of QR code readers, weather apps, and data-cleaning tools, infecting more than 140,000 devices. Some malware, such as SharkBot, can even pass itself off as antivirus software.
Some of AZORult's features target consumer users such as gamers and cryptocurrency owners by stealing credentials for popular gaming applications and scanning compromised systems for cryptocurrency wallet credentials. AZORult uses campaigns that lure victims in with trojanized commercial software; malvertising indicates AZORult is designed to target individuals rather than organizations. Azorult campaigns in 2020 leveraged COVID-19 pandemic updates to target and infect victims.
While more organizations worldwide are implementing multi-factor authentication (MFA) at an increasing rate to protect against the theft of user credentials, this protection is proving insufficient. In 2022, ACTI saw cyber threat actors successfully combine stolen credentials and social engineering to carry out high-profile breaches; the success of those breaches only further increased the demand for infostealers on the dark web. In addition, the volume of victim data included in logs for sale on underground marketplaces rose between June and October of 2022. The popularity spike in infostealers also drove underground actors to advertise on the dark web a variety of new infostealer malware variants.
MalwareIn log advertisements, Russian Market vendors include the malware they used to obtain credentials for sale. So far in 2022, RedLine, Raccoon Stealer, Vidar, Taurus, and AZORult are the five infostealers actors have used to obtain the logs on Russian Market (see Figure 1). Between July and October 2022, RedLine remained the dominant infostealer; however, its use decreased from 56% of the total market to 48% in October 2022. Use of the popular Raccoon Stealer, on the other hand, increased from 11% to 22% between July and October 2022, coinciding with the release of Raccoon Stealer v2 on June 30, 2022.
Cybercriminals have figured out how to leverage this for their own begotten gains. Intel 471 has observed several different ways cybercriminals have used these messaging apps to spread their own malware. Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users.
Automation in popular messaging platforms lowers the bar-of-entry for malicious actors. While information stealers alone do not cause the same amount of damage as malware like a data wiper or ransomware, they can be the first step in launching a targeted attack against an enterprise.
Raccoon is an information-stealing malware variant made available to subscribers through a Malware-as-a-Service (MaaS) arrangement. It targets Windows users, seeking out and stealing their stored credentials.
Aside from sniffing out stored credentials, Raccoon will also probe for the existence of wallet files used by popular crypto apps. Any wallet files found will be copied and included as part of the final upload.
Raccoon is an information stealing malware variant made available to subscribers through a Malware-as-a-Service (MaaS) arrangement. It targets Windows users, seeking out and stealing their stored credentials.
Raccoon Stealer was highly popular among online fraudsters, mainly because of three reasons. First, its wide stealing capabilities, second, the customizability factor of this malware and, third, its ease of use. It was mainly circulated using fake installers or as cracked versions of popular software on the users' computer systems. Well, according to the security analysts at Sekoia, the operations of Raccoon Stealer were shut down back in March 2022. But now, security analysts warned that Raccoon Stealer 2.0 is back! It is now being promoted on hacking forums, with the first samples captured by malware analysts earlier this month. This new upgraded version of Raccoon was built from scratch using C and C++ language while featuring a new back-end, front-end, and code to steal credentials and other data information, malware authors mentioned in the report.
The Raccoon stealer is one of the 2019 top 10 most-mentioned malware in the underground economy and is widely known to have infected hundreds of thousands of devices around the world, despite it not being overly sophisticated or innovative. This strain of malware first emerged as recently as 2019, and has already established a strong following among cybercriminals. Its popularity, even with a limited feature set, signals the continuation of a growing trend of the commoditization of malware as they follow a MaaS (Malware-as-a-Service) model and evolve their efforts.
Keyloggers are also used as infostealers. This kind of malware records every keystroke made by the user of an infected device in the hopes of stealing sensitive data or even eavesdropping on private conversations. For example, a keylogger could record the credentials you enter to log into an account, or could even your credit card information when you shop online.
There's a wide range of data that cybercriminals aim to access through the use of infostealers. Most notably, payment card details and login credentials are highly valuable. A criminal could either directly use this data to their advantage or sell it on a dark web marketplace to other malicious actors. Huge profits can be made through the sale of valuable data on illicit platforms, so it's no surprise that such sites have become popular among cybercriminals.
But regardless of whether you use the right security measures to avoid infostealers, there are still thousands of people who get hit by this kind of malware every year. In fact, there are specific kinds of infostealers that have become very popular among malicious actors.
Take Raccoon V1, for example. This well-known infostealer arose in 2019 and has quickly become a popular choice for cybercriminals. This program uses C and C++ programming language, and can be leased to users for a fee of $75 per week or $200 per month. This strain of malware can be used to steal login credentials, browser cookies, and sensitive cryptocurrency wallet data. On top of this, Raccoon V1 can track a victim's geographical location and access their IP address.
RedLine Stealer, on the other hand, was first noticed in 2020 and continues to target well-known browsers like Chrome and Opera. This strain of malware is capable of stealing login credentials and highly sensitive crypto wallet data. Like Raccoon and Mars Stealer, RedLine Stealer and BlackGuard are malware-as-a-service providers, charging users for access to the programs. Such malicious software can often be purchased or subscribed to using cryptocurrencies, as this allows users to stay anonymous.
Keylogging is another popular technique used by cryware. Like other information-stealing malware that use this technique, keylogging cryware typically runs in the background of an affected device and logs keystrokes entered by the user. It then sends the data it collects to an attacker controlled C2 server.
RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices. 2ff7e9595c
Comments