March 1, 2023 By Jonathan Reed 4 min read

On September 15, 2022, Uber employees logged on to see an unexpected message on the company’s Slack channel. It said, “Hi @here, I announce I am a hacker and Uber has suffered a data breach.”

At first, many thought it was a joke. But the reality was not funny in the slightest. The intruder didn’t only infiltrate Slack: Uber’s domain admin, Amazon Web Services admin and GSuite were reportedly among the company’s compromised accounts.

As per Group-IB, the hacker gained access to Uber’s systems using credentials compromised with the Racoon stealer. An info stealer is a type of malware that infiltrates credentials stored in browsers, gaming accounts, email services and social media. Info stealers can also collect bank card details and crypto wallet information from infected computers. After a successful attack, actors can use the data to access accounts for financial gain, or they can sell the information on the dark web.

The rising use of info stealers is alarming, to say the least. According to Group-IB, in the first seven months of 2022, multiple groups collectively infected over 890,000 user devices and stole over 50 million passwords.

The diversification of cyber crime

Cyber crime is big business. Like many businesses, cyber groups seek to diversify the way they make money. While ransomware continues to be a huge threat, law enforcement efforts have made things more difficult for ransom gangs. So threat actors have pivoted to other money-making tactics.

Group-IB identified 34 Russian-speaking groups responsible for info-stealing malware offered as a stealer-as-a-service model. The cyber gangs mainly use Racoon and Redline stealers to obtain credentials for accounts on Amazon, PayPal and gaming accounts like Steam and Roblox. Payment records and crypto wallet information are also being stolen by info-stealer malware.

Mathew Schwartz, an executive editor of DataBreachToday, points out that lots of attackers work in groups that maintain ransomware. These developers then get a cut of the illegitimate proceeds. Actors can sign up to be an affiliate or purchase an information-stealing Malware-as-a-Service.

The groups identified by Group-IB appear to orchestrate their attacks through Russian-language Telegram groups. Most of their targets are in the United States, Brazil, India, Germany and Indonesia.

Dividing the spoils of cyber crime

One might wonder why threat gangs offer Malware-as-a-Service subscriptions instead of cashing in directly on stolen data. For example, some services can be rented for $150-200 per month.

In the case of stealer-as-a-service, Schwartz says owners won’t share their more lucrative activity. For instance, they might keep for themselves anything to do with cryptocurrency. The main operators will go after people’s cryptocurrency wallets to try to drain them. Afterward, they can sell the less valuable activities as a service.

Actors who purchase the service don’t need a lot of technical expertise to get involved. The operator provides everything you need and is easy to access and use. In 2021 and 2022, Group-IB experts identified 34 active stealer-as-a-service groups on Telegram. On average, each info stealer distribution group has around 200 active members.

Malvertisements and social engineering enable info stealers

As with any other malware, the malicious payload has to get into your computer first. While you can buy stolen credentials on the darknet, hacking into accounts requires further steps.

Social engineering is one such tactic. In the Uber breach mentioned earlier, the hacker impersonated a corporate IT person. The intruder then sent text messages to convince an Uber worker to share their two-factor login approval. Since the hacker already had the worker’s credentials (previously obtained by info stealer), the two-factor authentication enabled access to the network.

A separate info stealer incident exploited Google Ads. In a malvertising campaign, scammers posted what appeared to be a legitimate ad for a GIMP utility. However, the fake ad actually lured visitors to a rogue webpage with an infected “Setup.exe” payload.

To make the executable look more believable, the threat actor artificially enhanced the malware. Instead of its original 5 MB size, it now appeared to be 700 MB. To achieve this, actors applied a technique called binary padding. This adds junk data to the malware binary to change its on-disk representation.

BleepingComputer obtained a copy of the malicious executable and confirmed it was an info-stealing trojan called VIDAR. It can steal information such as:

  • Crypto wallets
  • Telegram account credentials for those used on Windows versions
  • File transfer app data (FileZilla, WINSCP or FTP)
  • Info related to emails
  • Browser information (cookies, passwords, browser history or payment info).

Previously, VIDAR had been detected in domain typosquatting campaigns with over 200 fake websites imitating 27 well-known brands.

Preventing info-stealing malware attacks

To prevent info stealer or any other malware, there are basic security measures every organization can adopt. For example, NIST recommends:

  1. Use antivirus software at all times. Set your software to automatically scan emails and flash drives.
  2. Keep your computer fully patched. Run scheduled checks to keep everything up-to-date.
  3. Block access to ransomware sites. Use security products or services that block access to known malicious sites.
  4. Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers.
  5. Restrict personal-owned devices (PODs). Organizations should restrict or prohibit access to official networks from PODs.
  6. Use standard user accounts versus accounts with administrative privileges whenever possible.
  7. Avoid using personal apps and websites – like email, chat and social media – from work computers.
  8. Beware of unknown sources. Don’t open files or click on links from unknown sources unless you first run an antivirus scan. Examine all links carefully.

Even with the best preventative measures, some attacks might break through. As a result, methods such as privilege access management (PAM) are critical.

In normal circumstances, privileged users have elevated access to critical systems, data and functions. But their advanced entitlements should be vetted, monitored and analyzed to protect your resources from threats, such as stolen credential abuse.

Research shows as much as 40% of insider cyber attacks involved privileged users. Some of these could easily be intruders who gained access to credentials via info stealers. In 2022, info-stealing malware evolved into one of the most dangerous cyber threats. And 2023 will likely see this kind of attack gaining even more traction.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today