Raccoon Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 16:57:13 +0000 en-US hourly 1 https://wordpress.org/?v=64823 200474804 Infostealers: How to Detect, Remove and Prevent them? https://gridinsoft.com/blogs/infostealers-detect-remove-prevent/ https://gridinsoft.com/blogs/infostealers-detect-remove-prevent/#respond Fri, 28 Jul 2023 21:59:31 +0000 https://gridinsoft.com/blogs/?p=16379 The flow of information is crucial in today’s world, but it’s also precious to cybercriminals. They target personal data stored on your device through infostealer malware, putting your information at risk. Experts have marked a significant rise in the spread of information-stealing malware, also known as infostealers or stealers. In Q1 2023, the number of… Continue reading Infostealers: How to Detect, Remove and Prevent them?

The post Infostealers: How to Detect, Remove and Prevent them? appeared first on Gridinsoft Blog.

]]>
The flow of information is crucial in today’s world, but it’s also precious to cybercriminals. They target personal data stored on your device through infostealer malware, putting your information at risk. Experts have marked a significant rise in the spread of information-stealing malware, also known as infostealers or stealers. In Q1 2023, the number of incidents has more than doubled, indicating a concerning trend that threatens global organizations.

What is an Infostealer?

Infostealer is malicious software that collects information on a device it has infected and sends it to a threat actor. It explicitly targets login credentials saved in web browsers, browsing history, credit card and cryptocurrency wallet information, location data, device information, emails, social media platforms, and instant messaging clients – anything valuable.

When malware finds a valuable information, it saves the thing into a specifid directory on a disk. Then, at the end of the entire procedure, malware packs this directory and sends to the command server. The most valuable information threat actors seek is account details and banking card information. Also they can use this data or sell it on dark web markets. Infostealer logs are highly profitable on underground marketplaces, indeed it making them a prevalent form of malware.

Stealer Number of available logs
Raccoon 2,114,549
Vidar 1,816,800
RedLine 1,415,458
Total 5,350,640
Number of infostealer logs available for sale on darknet at the end of February 2023.

Around 2020, infostealers got their minute of fame, which keeps going even today, in 2023. Such a surge defined 3 leaders of the “industry” – Racoon, Vidar, and RedLine Stealer. Also security experts have noticed that these types of malware have been utilized to steal ChatGPT accounts. This highlights how cybercriminals use stealers to gain access to individuals’ private information.

RedLine

In March 2020, RedLine appeared on the Russian market and quickly became a top seller in the logs category. This malicious software is designed to steal sensitive information from web browsers, including saved login credentials, autocomplete data, credit card information, and cryptocurrency wallets. Once it infects a system, RedLine thoroughly inventory the username, location data, hardware configuration, and installed security software. It is distributed through various means, including cracked games, applications, services, phishing campaigns, and malicious ads.

RedLine infostealer
RedLine Telegram channel showing prices and deals

Raccoon

In 2019, the Raccoon Stealer was first introduced as a malware-as-a-service (MaaS) model and was promoted on underground forums. Later, scoundrels switched to selling their “product” in Telegram groups. In 2022, Raccoon received a new update whicwhich spruced up the detection evasion mechanismh and added new functionality. Interestingly enough that hackers community tend to dislike this infostealer and sprinkle it with dirt on forums. According to a belief, its admins steal the most “juicy” logs.

Raccoon infostealer
Raccoon Stealer Telegram channel

Vidar

Vidar is a classic example of a hit-and-run infostealer malware. In 2019, Vidar was first noticed during a malvertising campaign where the Fallout exploit kit was employed to disseminate Vidar and GandCrab as secondary payloads. This malicious software is sold as a standalone product on underground forums, and Telegram channels, and it includes an admin panel that allows customers to configure the malware and then keep track of the botnet.

Vidar infostealer
Vidar infostealer admin panel

Also this program is created using C++ and is based on the Arkei stealer. Vidar can extract browser artifacts, contents of specific cryptocurrency wallets, PayPal data, session data, and screenshots. Once done, it performs a so-called meltdown – in other words, simply removes itself from the machine.

Where can I get the infostealer?

Hackers may employ various methods to spread infostealers. Among the most prevalent techniques are different attack vectors, such as:

  • Pirated software
    It is common for hacking groups to include malware with pirated software downloads. Infostealers and other types of malware have been distributed through pirated software before.

  • Malvertising
    It’s common for exploit kits to target websites with malicious advertisements. If you click on one of these ads, you might unknowingly install an infostealer or be redirected to a website with malware available for download. Sometimes just viewing the malicious advertisement is enough to trigger the infostealer download.

  • Compromised system
    As previously mentioned, infostealers are typically installed from a remote location once the attackers successfully access the target system. As a result a compromised system becomes an open book for hackers.

  • Spam
    It is common for malicious individuals to send infostealers through email, often pretending to be a legitimate organization. The infostealer can either be attached directly to the email, or the recipient may be tricked into clicking on a harmful link, leading to the malware download. These spam emails are usually sent to large groups, but sometimes they can be customized for a specific individual or group.

How to Prevent your system from infostealers?

Here are some practices that can help lower the risk of getting infected with an infostealer:

  • Install updates
    One way infostealers can be distributed is by using known browser vulnerabilities. To reduce the risk of this happening, it is vital to install updates for your operating system, browser, and other applications as soon as they become available.
  • Think twice before clicking
    Be careful with opening files and clicking links to avoid infostealers. Because, they often spread through malicious email attachments and harmful websites. Don’t open unsolicited email attachments. Be cautious of emails that don’t address you by name. Check URLs before clicking them.
  • Use multi-factor authentication
    Multi-factor authentication (MFA) is a valuable security feature that protects against unauthorized access to accounts, tools, systems, and data repositories. So, if someone steals your login credentials, MFA requires a secondary form of authentication, making it more difficult for a threat actor to access the compromised account. Secure password storage may be a useful add-on option as well.
  • Avoid pirated software
    It is common for pirated software to contain malware, as it is a way for pirates to earn money. Therefore, it is best to use legitimate applications. Nowadays, there are numerous free, freemium, and open-source alternatives available that eliminate the need to take the risk of using pirated software.
  • Have anti-malware software as a back-up. You never know what trick will hackers do next, and playing what-ifs is a bad idea. For that case, it is better to have a versatile tool on hand, which will help you with detecting and removing malicious programs. GridinSoft Anti-Malware is one you can rely on – give it a try.

The post Infostealers: How to Detect, Remove and Prevent them? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/infostealers-detect-remove-prevent/feed/ 0 16379
Cybersecurity Experts Discovered a New Stealc Infostealer https://gridinsoft.com/blogs/new-infostealer-stealc/ https://gridinsoft.com/blogs/new-infostealer-stealc/#respond Wed, 22 Feb 2023 09:22:49 +0000 https://gridinsoft.com/blogs/?p=13453 ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline. Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport… Continue reading Cybersecurity Experts Discovered a New Stealc Infostealer

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

]]>

ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline.

Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport and Raccoon Stealer malware spreads masked as Cloudflare warnings.

Also information security specialists reported that Raccoon malware steals data from 60 different applications.

For the first time, analysts noticed the advertisement of the new malware back in January, and in February it began to actively gain popularity.

On hack forums and Telegram channels, Stealc is advertised by someone under the nickname Plymouth. He says that the malware is a “non-resident stealer with flexible settings and a convenient admin panel.”

new infostealer Stealc
Advertisement Stealc

In addition to the usual targeting of data from browsers, extensions and cryptocurrency wallets for such malware (the malware targets 22 browsers, 75 plugins and 25 desktop wallets), Stealc can also be configured to capture certain types of files that the malware operator wants to steal.

new infostealer Stealc
Configuration Instructions for Browser Attacks

The advertisement notes that when developing Stealc, its authors relied on solutions already existing “on the market”, including Vidar, Raccoon, Mars and Redline.

Sekoia analysts noticed that Stealc, Vidar, Raccoon, and Mars have in common that they all load legitimate third-party DLLs (eg sqlite3.dll, nss3.dll) to steal sensitive data. The researchers also say that the organization of communication with the control server of one of the samples of the new stealer they analyzed is similar to Vidar and Raccoon.

In total, the researchers identified more than 40 Stealc C&C servers and several dozen malware samples. According to them, this indicates that the new malware has aroused considerable interest among the cybercriminal community.

new infostealer Stealc
Malware development

One of Stealc’s distribution methods that researchers have already discovered is YouTube videos that describe how to install the cracked software and contain links to download sites. In such programs, a stealer is built in, which starts working and communicates with the control server after the installer is launched.

new infostealer Stealc
Site distributing stealer

According to experts, hacker clients with access to the Stealc administration panel can generate new stealer samples, and this increases the chances of the malware leaking and making it available to a wider audience in the future.

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-infostealer-stealc/feed/ 0 13453
Hackers Are Misusing Google Ads to Spread Malware https://gridinsoft.com/blogs/hackers-abuse-google-ads/ https://gridinsoft.com/blogs/hackers-abuse-google-ads/#respond Fri, 30 Dec 2022 09:51:16 +0000 https://gridinsoft.com/blogs/?p=12943 Malware operators and other hackers are increasingly abusing Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave. Let me remind you that we also wrote… Continue reading Hackers Are Misusing Google Ads to Spread Malware

The post Hackers Are Misusing Google Ads to Spread Malware appeared first on Gridinsoft Blog.

]]>

Malware operators and other hackers are increasingly abusing Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

Let me remind you that we also wrote that Fraudsters Are Running a Malicious Advertising Campaign through Google Search.

Specialists from Trend Micro and Guardio Labs described the problem in detail. According to them, hackers are increasingly using typesquatting, cloning the official websites of the above programs and manufacturers, and then distributing trojanized versions of software through them, which users eventually download.

Among the malware delivered in this way, there are versions of the Raccoon stealer, a custom version of the Vidar stealer, as well as the IcedID malware loader. For example, we recently wrote about one of these campaigns, in which attackers distributed miners and the RedLine infostealer using fake MSI Afterburner utility sites.

Hackers abuse Google Ads
Fake and real site

However, until recently, it was not clear exactly how users get to such malicious sites. It turned out that the key is in the abuse of advertising in Google.

Trend Micro and Guardio Labs experts say that Google, of course, has protective mechanisms for such a case, but attackers have learned how to bypass them. The thing is, if Google detects that the landing page behind the ad is malicious, the campaign will be immediately blocked and the ad removed.

Therefore, attackers act cautiously: first, users who click on ads are redirected to an irrelevant but safe site, also prepared by hackers. Only from there will the victim be redirected directly to a malicious resource masquerading as the official website of some kind of software.

Hackers abuse Google Ads
How redirects work

As for payloads, they are usually in ZIP or MSI formats and are downloaded from reputable file sharing and code hosting services, including GitHub, Dropbox, or CDN Discord. Due to this, the anti-virus programs running on the victim’s computer are unlikely to object to such downloads.

Guardio Labs experts say that during one campaign they observed in November of this year, attackers distributed a trojanized version of Grammarly to users, which contained the Raccoon stealer. At the same time, the malware was “bundled” with legitimate software, that is, the user received the program that he was looking for, and the malware was installed “in the appendage”, automatically.

Guardio Labs, which has named these attacks MasquerAds, attributes most of this malicious activity to the Vermux group, noting that the hackers “abuse a lot of brands and continue to evolve.” According to them, Vermux mainly attacks users in Canada and the United States, using fake sites to distribute malicious versions of AnyDesk and MSI Afterburner infected with cryptocurrency miners and the Vidar stealer.

Hackers abuse Google Ads
Attack scheme

Interestingly, activity of hackers, which experts have now described in detail, recently forced the FBI to publish a warning and recommendation on the use of ad blockers (so as not to see potentially dangerous ads in search engines at all).

The post Hackers Are Misusing Google Ads to Spread Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-abuse-google-ads/feed/ 0 12943