Info Stealers Thrive in Hot Market for Stolen DataBrowser Data, Crypto Wallets and Chat Apps Are Also Top Targets, Researchers Report
In the dubious race for popularity among cybercriminals, Redline Stealer appears to be far and away attackers' top choice for malware built to steal lucrative and sensitive data, including cryptocurrency wallet and remote access credentials.
Information-stealing malware, or info stealers, come in a variety of forms and facilitate the theft of credentials for accessing e-commerce accounts and bank accounts, stealing session cookies and saved passwords from browsers or bypassing multifactor authentication credentials, and other lucrative types of data.
"Cybercriminals can sell the stolen credentials to impersonate victims, enter their corporate networks using a VPN, commit other kinds of fraud or sell such credentials to others," Trend Micro said in a new report.
Based on information uploaded to VirusTotal, Trend Micro said the RedLine info stealer wins the race for most downloaded. Other popular info stealers include LokiBot, Mars and Aurora, as well as Vidar, Raccoon and Rhadamanthys, it said.
Each batch of information stolen from an infected system, known as a "bot," can be offered for sale as a "log" on dedicated marketplaces such as RussianMarket and TwoEasy - aka 2easy.shop - or via forums such as BHF and Dark2Web, and Telegram messaging app channels, according to threat intelligence firm Kela (see: Info-Stealing Malware Populates 'Cloud of Logs' Offerings).
On TwoEasy, which only sells data stolen using the RedLine info stealer, Trend Micro researchers found that the greatest number of logs originated from victims in India, followed by Brazil, Indonesia, Egypt and Nigeria. On RussianMarket, the largest number of logs came from Portugal, followed by Brazil, Greece, Egypt and Singapore. Researchers said it's likely criminals cross-sell the same stolen data on both markets.
Stolen Browser Data Remains Lucrative
The information most often stolen via info stealers, based on what shows up for sale, is browser data, including website credentials, especially to facilitate fraud and theft via e-commerce and banking sites. "This is not surprising, given that browser data is a treasure trove of sensitive information, including authentication cookies, stored credit cards, credentials, passwords and navigation history," the researchers wrote.
Beyond browsers based on the Chromium or Proton architectures - including Google Chrome, Firefox, Edge and Opera - the researchers found that many info stealers also target "obscure or legacy browsers."
Another top target is cryptocurrency wallet credentials, which attackers can potentially cash out directly. Also popular are chat app credentials, which researchers said attackers regularly abuse to try and socially engineer victims - for example, via the "stranded traveler" scam, as well as stolen FTP and email app credentials and VPN credentials.
Google, Live.com, Facebook, Instagram, Steam, GitHub and Spotify top the list of websites from which credentials are stolen and offered for sale, Trend Micro reported.
Some nation-state groups also use info-stealer malware, including off-the-shelf options, for cyberespionage purposes.
Marketplaces for stolen data - as well as their power users - remain top targets for law enforcement agencies. In April, in a coordinated takedown dubbed Operation Cookie Monster, international law enforcement dismantled Genesis Market, which was then the world's largest market for stolen credentials. Police reported that when it was taken down, Genesis was offering 1.5 million credentials for sale and had handled more than 80 million stolen credentials since its 2017 launch (see: Cops' Genesis Market Seizure: How the Cookie Market Crumbled).
Despite fierce competition and the ever-present threat of takedowns, info-stealer innovation continues as newcomers debut constantly and existing players refresh their offerings regularly.
VMware's Carbon Black threat research team last week reported that one of the top 10 info stealers it sees targeting corporate networks is Jupyter - also referred to as Polazert, SolarMarker/Deimos and Yellow Cockatoo. Researchers said the info stealer is being spread through a variety of common distribution tactics, including malicious websites - often disguised as a legitimate installer - as well as drive-by downloads and phishing campaigns.
First discovered in 2020, attackers have previously spread the malware using search engine optimization poisoning techniques. At the beginning of 2022, researchers at BlackBerry warned that the malware was often "being bundled with legitimate, signed software" a ploy that "makes it difficult to detect the threat before it has been deployed onto a victim system."
Crypto wallets remain one of Jupyter's top targets. The malware searches outright for data files tied to 17 different types of wallets - including Atomic, Guarda, SimplEOS and NEON - as well as for wild-card filenames based on the word "wallet," plus OpenVPN and remote desktop protocol credentials, BlackBerry reported.
Over the course of this year, a new type of info-stealing malware called BlazeStealer, which uses Python scripts, has emerged and undergone multiple revisions, reported Yehuda Gelb, a security researcher at Checkmarx.
These "seemingly legitimate Python obfuscation packages" are designed to run a Discord bot that gives attackers remote access to a system, allowing them to steal data, activate a keylogger, capture screenshots and video via the webcam, encrypt files and deactivate some types of installed security tools, he said.
Another newcomer is the Continental Stealer, an apparently Russian-built malware-as-a-service operation that debuted last month and is designed to steal a variety of sensitive data, reported Coral Tayar, a security researcher at threat intelligence firm Cyberint.
The stealer's subscription price is $120 per month, $300 for three months or $540 for a lifetime subscription, and it includes access to an online panel that enables a user to generate a malicious builder, control it remotely and view associated statistics, she said. "The Continental Stealer's user interface is designed to be user-friendly, offering a login panel and an operational dashboard displaying statistics on logs, passwords, cryptocurrency wallets and credit card information," she said. "This dashboard not only provides crucial insights but also facilitates log downloads."