On September 15, 2022, Uber employees logged on to see an unexpected message on the company’s Slack channel. It said, “Hi @here, I announce I am a hacker and Uber has suffered a data breach.”

At first, many thought it was a joke. But the reality was not funny in the slightest. The intruder didn’t only infiltrate Slack: Uber’s domain admin, Amazon Web Services admin and GSuite were reportedly among the company’s compromised accounts.

As per Group-IB, the hacker gained access to Uber’s systems using credentials compromised with the Racoon stealer. An info stealer is a type of malware that infiltrates credentials stored in browsers, gaming accounts, email services and social media. Info stealers can also collect bank card details and crypto wallet information from infected computers. After a successful attack, actors can use the data to access accounts for financial gain, or they can sell the information on the dark web.

The rising use of info stealers is alarming, to say the least. According to Group-IB, in the first seven months of 2022, multiple groups collectively infected over 890,000 user devices and stole over 50 million passwords.

The Diversification of Cyber Crime

Cyber crime is big business. Like many businesses, cyber groups seek to diversify the way they make money. While ransomware continues to be a huge threat, law enforcement efforts have made things more difficult for ransom gangs. So threat actors have pivoted to other money-making tactics.

Group-IB identified 34 Russian-speaking groups responsible for info-stealing malware offered as a stealer-as-a-service model. The cyber gangs mainly use Racoon and Redline stealers to obtain credentials for accounts on Amazon, PayPal and gaming accounts like Steam and Roblox. Payment records and crypto wallet information are also being stolen by info-stealer malware.

Mathew Schwartz, an executive editor of DataBreachToday, points out that lots of attackers work in groups that maintain ransomware. These developers then get a cut of the illegitimate proceeds. Actors can sign up to be an affiliate or purchase an information-stealing Malware-as-a-Service.

The groups identified by Group-IB appear to orchestrate their attacks through Russian-language Telegram groups. Most of their targets are in the United States, Brazil, India, Germany and Indonesia.

Dividing the Spoils of Cyber Crime

One might wonder why threat gangs offer Malware-as-a-Service subscriptions instead of cashing in directly on stolen data. For example, some services can be rented for $150-200 per month.

In the case of stealer-as-a-service, Schwartz says owners won’t share their more lucrative activity. For instance, they might keep for themselves anything to do with cryptocurrency. The main operators will go after people’s cryptocurrency wallets to try to drain them. Afterward, they can sell the less valuable activities as a service.

Actors who purchase the service don’t need a lot of technical expertise to get involved. The operator provides everything you need and is easy to access and use. In 2021 and 2022, Group-IB experts identified 34 active stealer-as-a-service groups on Telegram. On average, each info stealer distribution group has around 200 active members.

Malvertisements and Social Engineering Enable Info Stealers

As with any other malware, the malicious payload has to get into your computer first. While you can buy stolen credentials on the darknet, hacking into accounts requires further steps.

Social engineering is one such tactic. In the Uber breach mentioned earlier, the hacker impersonated a corporate IT person. The intruder then sent text messages to convince an Uber worker to share their two-factor login approval. Since the hacker already had the worker’s credentials (previously obtained by info stealer), the two-factor authentication enabled access to the network.

A separate info stealer incident exploited Google Ads. In a malvertising campaign, scammers posted what appeared to be a legitimate ad for a GIMP utility. However, the fake ad actually lured visitors to a rogue webpage with an infected “Setup.exe” payload.

To make the executable look more believable, the threat actor artificially enhanced the malware. Instead of its original 5 MB size, it now appeared to be 700 MB. To achieve this, actors applied a technique called binary padding. This adds junk data to the malware binary to change its on-disk representation.

BleepingComputer obtained a copy of the malicious executable and confirmed it was an info-stealing trojan called VIDAR. It can steal information such as:

  • Crypto wallets
  • Telegram account credentials for those used on Windows versions
  • File transfer app data (FileZilla, WINSCP or FTP)
  • Info related to emails
  • Browser information (cookies, passwords, browser history or payment info).

Previously, VIDAR had been detected in domain typosquatting campaigns with over 200 fake websites imitating 27 well-known brands.

Preventing Info-Stealing Malware Attacks

To prevent info stealer or any other malware, there are basic security measures every organization can adopt. For example, NIST recommends:

  1. Use antivirus software at all times. Set your software to automatically scan emails and flash drives.
  2. Keep your computer fully patched. Run scheduled checks to keep everything up-to-date.
  3. Block access to ransomware sites. Use security products or services that block access to known malicious sites.
  4. Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers.
  5. Restrict personal-owned devices (PODs). Organizations should restrict or prohibit access to official networks from PODs.
  6. Use standard user accounts versus accounts with administrative privileges whenever possible.
  7. Avoid using personal apps and websites – like email, chat and social media – from work computers.
  8. Beware of unknown sources. Don’t open files or click on links from unknown sources unless you first run an antivirus scan. Examine all links carefully.

Even with the best preventative measures, some attacks might break through. As a result, methods such as privilege access management (PAM) are critical.

In normal circumstances, privileged users have elevated access to critical systems, data and functions. But their advanced entitlements should be vetted, monitored and analyzed to protect your resources from threats, such as stolen credential abuse.

Research shows as much as 40% of insider cyber attacks involved privileged users. Some of these could easily be intruders who gained access to credentials via info stealers. In 2022, info-stealing malware evolved into one of the most dangerous cyber threats. And 2023 will likely see this kind of attack gaining even more traction.

More from News

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…