Cybercriminals are increasingly using info-stealing malware to target victims

Cybercriminals are increasingly shifting from automated scam-as-a-service to more advanced info-stealing malware distributors as the competition for resources increases, and they look for new way to make profits, according to a report by Group-IB. 

The cybersecurity company has identified 34 Russian-speaking groups distributing info-stealing malware under the stealer-as-a-service model.

Info stealer malware collects users’ credentials stored in browsers, gaming accounts, email services, social media, bank card details, and crypto wallet information from infected computers, and sends the data to the malware operator. This data is then sold or used for fraud on the dark web. 

The identified threat actors coordinate via Telegram groups to conduct their operations. The low entry barrier and a fully automated process makes the scheme popular among beginners. 

“Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it,” Ilia Rozhnov, head of Group-IB Digital Risk Protection APAC said.

Substantial malware increase in 2022

Telegram groups and bots designed to distribute info stealers first appeared in early 2021, according to Group-IB Digital Risk Protection team. However, a substantial increase was observed in the first seven months of this year, with more than 890,000 devices infected across 111 countries, compared to the 538,000 devices infected  in 2021. 

In the first seven months of this year, threat actors stole over 50 million passwords, two billion cookie files, details of 103,150 bank cards, and data from 113,204 crypto wallets. 

“The underground market value of just the stolen logs and compromised card details is around $5.8 million,” Group-IB estimates. 

Paypal and Amazon were the most targeted services, with Paypal accounting for more than 16% and Amazon for more than 13% of the attacks. 

However, cases of stealing passwords for gaming services such as Steam, EpicGames, Roblox have increased almost five-fold, the report noted.  

The top five most attacked countries are the United States, Brazil, India, Germany, and Indonesia. 

RedLine and Racoon stealer used the most

Among the 34 groups examined, the most used stealer was RedLine, which was used by 23 groups, while the second most used tool was Racoon, used by eight groups. Custom stealers were found to be used by three groups, Group-IB noted. 

The group members are provided with both the tools in exchange for a share of the stolen data, or money. 

“However, the malware in question is offered for rent on the dark web for US$150-$200 per month. Some groups use three stealers at the same time, while others have only one stealer in their arsenal,” the report said. 

On an average, the 34 identified info stealer distributor groups on Telegram have 200 active members. The task of the members of the group is to drive traffic to bait scam websites impersonating well-known companies and convince victims to download malicious files. 

“Cybercriminals embed links for downloading stealers into video reviews of popular games on YouTube, into mining software or NFT files on specialized forums and direct communication with NFT artists, and into lucky draws and lotteries on social media,” Group-IB noted. 

Safeguarding against the attacks

To prevent such attacks, Group-IB recommends that users avoid downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, stop saving passwords in browsers, and regularly clear browser cookies. 

It also recommends companies to have a proactive approach towards digital security and using modern technologies for monitoring and response to the attacks.