On September 15, 2022, Uber employees logged on to see an unexpected message on the company’s Slack channel. It said, “Hi @here, I announce I am a hacker and Uber has suffered a data breach.”
At first, many thought it was a joke. But the reality was not funny in the slightest. The intruder didn’t only infiltrate Slack: Uber’s domain admin, Amazon Web Services admin and GSuite were reportedly among the company’s compromised accounts.
As per Group-IB, the hacker gained access to Uber’s systems using credentials compromised with the Racoon stealer. An info stealer is a type of malware that infiltrates credentials stored in browsers, gaming accounts, email services and social media. Info stealers can also collect bank card details and crypto wallet information from infected computers. After a successful attack, actors can use the data to access accounts for financial gain, or they can sell the information on the dark web.
The rising use of info stealers is alarming, to say the least. According to Group-IB, in the first seven months of 2022, multiple groups collectively infected over 890,000 user devices and stole over 50 million passwords.
The diversification of cyber crime
Cyber crime is big business. Like many businesses, cyber groups seek to diversify the way they make money. While ransomware continues to be a huge threat, law enforcement efforts have made things more difficult for ransom gangs. So threat actors have pivoted to other money-making tactics.
Group-IB identified 34 Russian-speaking groups responsible for info-stealing malware offered as a stealer-as-a-service model. The cyber gangs mainly use Racoon and Redline stealers to obtain credentials for accounts on Amazon, PayPal and gaming accounts like Steam and Roblox. Payment records and crypto wallet information are also being stolen by info-stealer malware.
Mathew Schwartz, an executive editor of DataBreachToday, points out that lots of attackers work in groups that maintain ransomware. These developers then get a cut of the illegitimate proceeds. Actors can sign up to be an affiliate or purchase an information-stealing Malware-as-a-Service.
The groups identified by Group-IB appear to orchestrate their attacks through Russian-language Telegram groups. Most of their targets are in the United States, Brazil, India, Germany and Indonesia.
Dividing the spoils of cyber crime
One might wonder why threat gangs offer Malware-as-a-Service subscriptions instead of cashing in directly on stolen data. For example, some services can be rented for $150-200 per month.
In the case of stealer-as-a-service, Schwartz says owners won’t share their more lucrative activity. For instance, they might keep for themselves anything to do with cryptocurrency. The main operators will go after people’s cryptocurrency wallets to try to drain them. Afterward, they can sell the less valuable activities as a service.
Actors who purchase the service don’t need a lot of technical expertise to get involved. The operator provides everything you need and is easy to access and use. In 2021 and 2022, Group-IB experts identified 34 active stealer-as-a-service groups on Telegram. On average, each info stealer distribution group has around 200 active members.
Malvertisements and social engineering enable info stealers
As with any other malware, the malicious payload has to get into your computer first. While you can buy stolen credentials on the darknet, hacking into accounts requires further steps.
Social engineering is one such tactic. In the Uber breach mentioned earlier, the hacker impersonated a corporate IT person. The intruder then sent text messages to convince an Uber worker to share their two-factor login approval. Since the hacker already had the worker’s credentials (previously obtained by info stealer), the two-factor authentication enabled access to the network.
A separate info stealer incident exploited Google Ads. In a malvertising campaign, scammers posted what appeared to be a legitimate ad for a GIMP utility. However, the fake ad actually lured visitors to a rogue webpage with an infected “Setup.exe” payload.
To make the executable look more believable, the threat actor artificially enhanced the malware. Instead of its original 5 MB size, it now appeared to be 700 MB. To achieve this, actors applied a technique called binary padding. This adds junk data to the malware binary to change its on-disk representation.
BleepingComputer obtained a copy of the malicious executable and confirmed it was an info-stealing trojan called VIDAR. It can steal information such as:
- Crypto wallets
- Telegram account credentials for those used on Windows versions
- File transfer app data (FileZilla, WINSCP or FTP)
- Info related to emails
- Browser information (cookies, passwords, browser history or payment info).
Previously, VIDAR had been detected in domain typosquatting campaigns with over 200 fake websites imitating 27 well-known brands.
Preventing info-stealing malware attacks
To prevent info stealer or any other malware, there are basic security measures every organization can adopt. For example, NIST recommends:
- Use antivirus software at all times. Set your software to automatically scan emails and flash drives.
- Keep your computer fully patched. Run scheduled checks to keep everything up-to-date.
- Block access to ransomware sites. Use security products or services that block access to known malicious sites.
- Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers.
- Restrict personal-owned devices (PODs). Organizations should restrict or prohibit access to official networks from PODs.
- Use standard user accounts versus accounts with administrative privileges whenever possible.
- Avoid using personal apps and websites – like email, chat and social media – from work computers.
- Beware of unknown sources. Don’t open files or click on links from unknown sources unless you first run an antivirus scan. Examine all links carefully.
Even with the best preventative measures, some attacks might break through. As a result, methods such as privilege access management (PAM) are critical.
In normal circumstances, privileged users have elevated access to critical systems, data and functions. But their advanced entitlements should be vetted, monitored and analyzed to protect your resources from threats, such as stolen credential abuse.
Research shows as much as 40% of insider cyber attacks involved privileged users. Some of these could easily be intruders who gained access to credentials via info stealers. In 2022, info-stealing malware evolved into one of the most dangerous cyber threats. And 2023 will likely see this kind of attack gaining even more traction.