What is an Infostealer?

Infostealer is malicious software that collects information on a device it has infected and sends it to a threat actor. It explicitly targets login credentials saved in web browsers, browsing history, credit card and cryptocurrency wallet information, location data, device information, emails, social media platforms, and instant messaging clients – anything valuable.

When malware finds a valuable information, it saves the thing into a specifid directory on a disk. Then, at the end of the entire procedure, malware packs this directory and sends to the command server. The most valuable information threat actors seek is account details and banking card information. Also they can use this data or sell it on dark web markets. Infostealer logs are highly profitable on underground marketplaces, indeed it making them a prevalent form of malware.

Around 2020, infostealers got their minute of fame, which keeps going even today, in 2023. Such a surge defined 3 leaders of the “industry” – Racoon, Vidar, and RedLine Stealer. Also security experts have noticed that these types of malware have been utilized to steal ChatGPT accounts. This highlights how cybercriminals use stealers to gain access to individuals’ private information.

RedLine

In March 2020, RedLine appeared on the Russian market and quickly became a top seller in the logs category. This malicious software is designed to steal sensitive information from web browsers, including saved login credentials, autocomplete data, credit card information, and cryptocurrency wallets. Once it infects a system, RedLine thoroughly inventory the username, location data, hardware configuration, and installed security software. It is distributed through various means, including cracked games, applications, services, phishing campaigns, and malicious ads.

Raccoon

In 2019, the Raccoon Stealer was first introduced as a malware-as-a-service (MaaS) model and was promoted on underground forums. Later, scoundrels switched to selling their “product” in Telegram groups. In 2022, Raccoon received a new update whicwhich spruced up the detection evasion mechanismh and added new functionality. Interestingly enough that hackers community tend to dislike this infostealer and sprinkle it with dirt on forums. According to a belief, its admins steal the most “juicy” logs.

Vidar

Vidar is a classic example of a hit-and-run infostealer malware. In 2019, Vidar was first noticed during a malvertising campaign where the Fallout exploit kit was employed to disseminate Vidar and GandCrab as secondary payloads. This malicious software is sold as a standalone product on underground forums, and Telegram channels, and it includes an admin panel that allows customers to configure the malware and then keep track of the botnet.

Also this program is created using C++ and is based on the Arkei stealer. Vidar can extract browser artifacts, contents of specific cryptocurrency wallets, PayPal data, session data, and screenshots. Once done, it performs a so-called meltdown – in other words, simply removes itself from the machine.

Where can I get the infostealer?

Hackers may employ various methods to spread infostealers. Among the most prevalent techniques are different attack vectors, such as:

• Pirated software
  It is common for hacking groups to include malware with pirated software downloads. Infostealers and other types of malware have been distributed through pirated software before.

• Malvertising
  It’s common for exploit kits to target websites with malicious advertisements. If you click on one of these ads, you might unknowingly install an infostealer or be redirected to a website with malware available for download. Sometimes just viewing the malicious advertisement is enough to trigger the infostealer download.

• Compromised system
  As previously mentioned, infostealers are typically installed from a remote location once the attackers successfully access the target system. As a result a compromised system becomes an open book for hackers.

• Spam
  It is common for malicious individuals to send infostealers through email, often pretending to be a legitimate organization. The infostealer can either be attached directly to the email, or the recipient may be tricked into clicking on a harmful link, leading to the malware download. These spam emails are usually sent to large groups, but sometimes they can be customized for a specific individual or group.

How to Prevent your system from infostealers?

Here are some practices that can help lower the risk of getting infected with an infostealer:

• Install updates
  One way infostealers can be distributed is by using known browser vulnerabilities. To reduce the risk of this happening, it is vital to install updates for your operating system, browser, and other applications as soon as they become available.
• Think twice before clicking
  Be careful with opening files and clicking links to avoid infostealers. Because, they often spread through malicious email attachments and harmful websites. Don’t open unsolicited email attachments. Be cautious of emails that don’t address you by name. Check URLs before clicking them.
• Use multi-factor authentication
  Multi-factor authentication (MFA) is a valuable security feature that protects against unauthorized access to accounts, tools, systems, and data repositories. So, if someone steals your login credentials, MFA requires a secondary form of authentication, making it more difficult for a threat actor to access the compromised account. Secure password storage may be a useful add-on option as well.
• Avoid pirated software
  It is common for pirated software to contain malware, as it is a way for pirates to earn money. Therefore, it is best to use legitimate applications. Nowadays, there are numerous free, freemium, and open-source alternatives available that eliminate the need to take the risk of using pirated software.
• Have anti-malware software as a back-up. You never know what trick will hackers do next, and playing what-ifs is a bad idea. For that case, it is better to have a versatile tool on hand, which will help you with detecting and removing malicious programs. GridinSoft Anti-Malware is one you can rely on – give it a try.

The post Infostealers: How to Detect, Remove and Prevent them? appeared first on Gridinsoft Blog.

ekoia experts report that a new infostealer, Stealc, has appeared on the darknet, and is gaining popularity among criminals due to aggressive advertising and similarities to malware such as Vidar, Raccoon, Mars, and Redline.

Let me remind you that we also wrote that Djvu Ransomware Spreads via Discord, Carrying RedLine Stealer, and also that NetSupport and Raccoon Stealer malware spreads masked as Cloudflare warnings.

Also information security specialists reported that Raccoon malware steals data from 60 different applications.

For the first time, analysts noticed the advertisement of the new malware back in January, and in February it began to actively gain popularity.

On hack forums and Telegram channels, Stealc is advertised by someone under the nickname Plymouth. He says that the malware is a “non-resident stealer with flexible settings and a convenient admin panel.”

Advertisement Stealc

In addition to the usual targeting of data from browsers, extensions and cryptocurrency wallets for such malware (the malware targets 22 browsers, 75 plugins and 25 desktop wallets), Stealc can also be configured to capture certain types of files that the malware operator wants to steal.

Configuration Instructions for Browser Attacks

The advertisement notes that when developing Stealc, its authors relied on solutions already existing “on the market”, including Vidar, Raccoon, Mars and Redline.

Sekoia analysts noticed that Stealc, Vidar, Raccoon, and Mars have in common that they all load legitimate third-party DLLs (eg sqlite3.dll, nss3.dll) to steal sensitive data. The researchers also say that the organization of communication with the control server of one of the samples of the new stealer they analyzed is similar to Vidar and Raccoon.

In total, the researchers identified more than 40 Stealc C&C servers and several dozen malware samples. According to them, this indicates that the new malware has aroused considerable interest among the cybercriminal community.

Malware development

One of Stealc’s distribution methods that researchers have already discovered is YouTube videos that describe how to install the cracked software and contain links to download sites. In such programs, a stealer is built in, which starts working and communicates with the control server after the installer is launched.

Site distributing stealer

According to experts, hacker clients with access to the Stealc administration panel can generate new stealer samples, and this increases the chances of the malware leaking and making it available to a wider audience in the future.

The post Cybersecurity Experts Discovered a New Stealc Infostealer appeared first on Gridinsoft Blog.

Malware operators and other hackers are increasingly abusing Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

Let me remind you that we also wrote that Fraudsters Are Running a Malicious Advertising Campaign through Google Search.

Specialists from Trend Micro and Guardio Labs described the problem in detail. According to them, hackers are increasingly using typesquatting, cloning the official websites of the above programs and manufacturers, and then distributing trojanized versions of software through them, which users eventually download.

Among the malware delivered in this way, there are versions of the Raccoon stealer, a custom version of the Vidar stealer, as well as the IcedID malware loader. For example, we recently wrote about one of these campaigns, in which attackers distributed miners and the RedLine infostealer using fake MSI Afterburner utility sites.

Fake and real site

However, until recently, it was not clear exactly how users get to such malicious sites. It turned out that the key is in the abuse of advertising in Google.

Trend Micro and Guardio Labs experts say that Google, of course, has protective mechanisms for such a case, but attackers have learned how to bypass them. The thing is, if Google detects that the landing page behind the ad is malicious, the campaign will be immediately blocked and the ad removed.

Therefore, attackers act cautiously: first, users who click on ads are redirected to an irrelevant but safe site, also prepared by hackers. Only from there will the victim be redirected directly to a malicious resource masquerading as the official website of some kind of software.

How redirects work

As for payloads, they are usually in ZIP or MSI formats and are downloaded from reputable file sharing and code hosting services, including GitHub, Dropbox, or CDN Discord. Due to this, the anti-virus programs running on the victim’s computer are unlikely to object to such downloads.

Guardio Labs experts say that during one campaign they observed in November of this year, attackers distributed a trojanized version of Grammarly to users, which contained the Raccoon stealer. At the same time, the malware was “bundled” with legitimate software, that is, the user received the program that he was looking for, and the malware was installed “in the appendage”, automatically.

Guardio Labs, which has named these attacks MasquerAds, attributes most of this malicious activity to the Vermux group, noting that the hackers “abuse a lot of brands and continue to evolve.” According to them, Vermux mainly attacks users in Canada and the United States, using fake sites to distribute malicious versions of AnyDesk and MSI Afterburner infected with cryptocurrency miners and the Vidar stealer.

Attack scheme

Interestingly, activity of hackers, which experts have now described in detail, recently forced the FBI to publish a warning and recommendation on the use of ad blockers (so as not to see potentially dangerous ads in search engines at all).

The post Hackers Are Misusing Google Ads to Spread Malware appeared first on Gridinsoft Blog.