Private Subscription Services Emerge, Together With Fresh Strains of Info Stealers
Cybercrime watchers continue to see strong demand for fresh strains of information-stealing malware and the personal information being harvested by such info stealers.
Information stealers exfiltrate data from an infected system – aka “bot” – and batch it into “logs” containing “browser login information including passwords, cookies, credit card details, crypto wallet data and more,” threat intelligence firm Kela said in a new report.
Phishing is the main distribution method, oftentimes through links to compromised or malicious websites. One recent campaign tied to the Lumma and Aurora stealers used “typosquatted” domains – malicious domains with names resembling legitimate ones – that pretended to offer access to OpenAI and ChatGPT, cybersecurity firm Cyble reported.
After infecting systems and collecting logs, criminals often sell the stolen data via automated bot markets such as Genesis, RussianMarket and TwoEasy, via forums such as BHF and Dark2Web, and Telegram messaging app channels. While Genesis was disrupted last month via an international police operation accompanied by more than 100 arrests worldwide, the BBC reported Friday that the darknet version of Genesis appears to remain alive and well.
One sign of the maturity of marketplaces selling account takeover services or stolen digital identities is the emergence in recent years of a service called “clouds of logs,” Kela says. This involves vendors offering subscription access to a library of the vendor’s logs, typically hosted on a private cloud-based forum or made accessible via Telegram and frequently updated.
For the past few years, the most popular info stealers designed to harvest logs have been RedLine, Vidar, RisePro – which appears to be a clone of Vidar – META, Mars and the Raccoon malware-as-a-service offering, Kela reported.
Some of the malware is sold as stand-alone software while other types are run as a service, which can include terms and conditions that give the administrator sole access to certain types of information, such as stolen cryptocurrency wallet details (see: Buying Bot-Stolen Logs: Marketplaces Make It ‘2easy’).
Rival developers regularly debut fresh offerings too. Over the past year, newcomers spotted by researchers have included Aurora, LummaC2, Offx, Titan, Typhoon and WhiteSnake.
Stealer functionality varies, but can include the ability to steal information from multiple browsers, gather details from many different types of cryptocurrency wallets and also steal two-factor authentication codes from two-factor applications and password managers. Pricing for newer options typically ranges from $120 to $300 per month, which researchers say is largely in line with what established players are charging.
Some newcomers are trying to disrupt established players by offering more discounted products.
They include TyphonStealer, which debuted in June 2022. In January, its developer announced via the XSS Russian-language forum the release of an updated version called Typhon Reborn, reported threat intelligence researchers at Cisco Talos.
Typhon retails for $59 per month or $540 for a lifetime subscription, which offers a substantial discount compared to the competition while still offering notable functionality, such as the ability to route stolen information to a user via Telegram, researchers say.
Nevertheless, Kela’s survey of credentials being sold on the popular RussianMarket in recent months found that 85% had been harvested by the well-established Raccoon or Vidar stealers.
That is despite one of Raccoon’s alleged ringleaders, Ukrainian national Mark Sokolovsky, having been arrested by Dutch police in March 2022 as part of an international operation designed to torpedo Raccoon’s infrastructure. While official Raccoon channels claimed the malware was being retired, a completely rewritten version 2 was launched last June.
An unsealed indictment against Sokolovsky, who is fighting a U.S. extradition request, details how such services operate. For $200 per month in cryptocurrency, service users could access the malware – using it to infect victims – as well as an online portal to view all data stolen from victims’ systems. Information the malware targeted included financial details, including cryptocurrency data, as well as online account usernames and passwords, screenshots of user activity and more.
Highlighting the prolific use of stealers, the FBI reported that the first version of Raccoon was used to steal over 50 million unique credentials and forms of identification, including bank account and cryptocurrency exchange details, many of which ended up for sale on log markets and via Telegram channels.