Cyber criminals are increasingly using info-stealing malware to target victims

Cyber criminals are increasingly shifting from automated scam-as-a-service to more advanced info stealer malware distributors as the competition for resources increases, and they look for new way to make profits, according to a report by Group-IB.

The cyber security company has identified 34 Russian-speaking groups distributing info-stealing malware under the stealer-as-a-service model.

Info stealer malware collects users’ credentials stored in browsers, gaming accounts, email services, social media, bank card details, and crypto wallet information from infected computers, and sends the data to the malware operator. This data is then sold or used for fraud on the dark web.

The identified threat actors coordinate via Telegram groups to conduct their operations. The low entry barrier and a fully automated process makes the scheme popular among beginners.

“Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it,” Group-IB noted.

Substantial malware increase in 2022

Telegram groups and bots designed to distribute info stealers first appeared in early 2021, according to Group-IB Digital Risk Protection team. However, a substantial increase was observed in the first seven months of this year, with more than 890,000 devices infected across 111 countries. This is almost twice the number of infected devices in 2021, when 538,000 devices were compromised.

In the first seven months of this year, threat actors stole over 50 million passwords, two billion cookie files, details of 103,150 bank cards, and data from 113,204 crypto wallets.

“The underground market value of just the stolen logs and compromised card details is around $5.8 million,” Group-IB estimates.

Paypal and Amazon were the most targeted services, with Paypal accounting for more than 16 per cent and Amazon for more than 13 per cent of the attacks.

However, cases of stealing passwords for gaming services such as Steam, EpicGames, Roblox have increased almost five-fold, the report noted. The top five most attacked countries are United States, Brazil, India, Germany, and Indonesia.

RedLine and Racoon stealer used the most

Among the 34 groups examined, the most used stealer was RedLine, which was used by 23 groups, while the second most used tool was Racoon, used by eight groups. Custom stealers were found to be used by three groups, Group-IB noted.

The group members are provided with both the tools in exchange for a share of the stolen data, or money.

“However, the malware in question is offered for rent on the dark web for $150-$200 per month. Some groups use three stealers at the same time, while others have only one stealer in their arsenal,” the report said.

On an average, the 34 identified info stealer distributor groups on Telegram have 200 active members. The task of the members of the group is to drive traffic to bait scam websites impersonating well-known companies and convince victims to download malicious files.

“Cyber criminals embed links for downloading stealers into video reviews of popular games on YouTube, into mining software or NFT files on specialised forums and direct communication with NFT artists, and into lucky draws and lotteries on social media,” Group-IB noted.

Safeguarding against the attacks

To prevent such attacks, Group-IB recommends that users avoid downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, stop saving passwords in browsers, and regularly clear browser cookies.

It also recommends companies to have a proactive approach towards digital security and using modern technologies for monitoring and response to the attacks.