As we delve deeper into the cybercriminal landscape, infostealer malware remains a pervasive threat, continuing to evolve and adapt to net attackers a wealth of sensitive data. These malicious tools, deftly infiltrating systems, swipe everything from login credentials to credit card details, fueling a thriving black market on the dark web.
Infostealer malware’s delivery channels are diverse, spanning from deceptive email attachments to compromised software downloads. Once established within a system, these cunning cyber agents stealthily evade detection while siphoning off the desired information. They often deploy sophisticated strategies, like keylogging or network sniffing, to meticulously capture and relay the stolen data to the infiltrators.
In IBM’s 2022 Data Breach Report, stolen credentials emerged as a leading cause of data breaches. With the average global cost of a data breach incident pinned at USD 4.35 million, the financial implications of these incidents are evident.
The past year saw the emergence of fresh infostealer variants from established families like RedLine, Amadey, Raccoon v2, and Vidar. But the landscape also welcomed some newcomers, bringing their unique functionalities to the table. Let’s dive into a roundup of the new infostealer entrants and their distinctive capabilities.
The Aurora Phenomenon
In the infostealer panorama, Aurora Stealer made its first appearance in April 2022 as a botnet, before being promoted as an infostealer by August. Crafted in Go programming language, it was marketed and available as Malware-as-a-Service (MaaS) across Russian dark web forums.
Aurora sets itself apart with extended functionality, offering remote access and botnet capabilities. SEKOIA, a cybersecurity firm, revealed in their report that at least seven active threat actor groups incorporated Aurora Stealer into their operations. On SEKOIA’s GitHub page, you’ll find Indicators of Compromise (IOCs) and YARA rules for Aurora.
DUCKTAIL: A Well-Feathered Campaign
July 2022 marked the discovery of a new operation called DUCKTAIL, targeting businesses and individuals using Facebook’s Business/Ads platform. This campaign, uncovered by the Finnish cybersecurity firm WithSecure, featured an infostealer malware constructed in .NET Core.
Evidence suggests that this campaign has been operational since 2018 and points to a Vietnamese origin for the threat actor. The malware meticulously scans the infected system for the main browsers: Microsoft Edge, Google Chrome, Mozilla Firefox, and Brave. Upon detection, it pilfers all stored cookies, with a particular focus on Facebook Session cookies, aiming to breach Facebook Business accounts and steal relevant data.
Lilithbot’s Eternity Connection
October 2022 witnessed the emergence of a new infostealer malware, Lilithbot, analyzed in detail in a blog post by Zscaler’s ThreatLabz. They linked its origin to the cybercriminal group ‘Eternity,’ associated with a Russian threat actor collective known as the ‘Jester Group.’
Lilithbot is disseminated through a Telegram channel owned by the Eternity group. It operates as a MaaS solution, receiving constant updates to enhance its stealth and anti-VM capabilities. Lilithbot extends its infostealing skills to include crypto mining and clipping, underlining its adaptability.
ZingoStealer: A Russian Blend
Making its first appearance in March 2022, ZingoStealer, also known as Ginzo, was distributed by a Russian group named “Haskers Gang”. This Windows-specific infostealer launched for free via its Telegram channel, also promoted through a YouTube video demonstrating its capabilities.
In addition to the free version, a $3 paid upgrade offered enhanced AV evasion capabilities. It mainly targets login credentials and can deploy malicious payloads, even installing crypto miner malware in certain instances. However, the Blackberry analysis team uncovered a hidden twist: the threat actor behind the “free” malware could access all stolen data before their clients, effectively stealing from their own customers.
The Emergence of RisePro
RisePro, a new infostealer coded in C++, was discovered around mid-December 2022 by Flashpoint and Sekoia. Code similarities with Vidar, another popular stealer malware, have been noted. RisePro pilfers credit card information, login credentials, passwords, and cryptocurrency wallets from infected devices.
The perpetrators are already trading stolen data, termed RisePro logs, on Russian dark web marketplaces. Presently, RisePro can be purchased on Telegram, where potential users can connect directly with the malware developer.
Mars Stealer: The Martian Influx
Mars Stealer grew in popularity following the collapse of Raccoon Stealer v1. Based on the defunct Oski Stealer, Mars Stealer made its debut in mid-2021, and by 2022, had initiated large-scale campaigns for wider infections.
According to Morphisec researchers, the most common infection vector is spam emails carrying malicious executables or download links. Threat actors have even exploited Google Ads in their phishing campaigns for broader outreach.
The Arrival of the Titan
Towards the end of 2022, Titan Stealer emerged. Crafted in Go, it’s marketed and sold through a Russian Telegram channel. The malware boasts capabilities to extract sensitive credential data from crypto wallets and browsers, system screen snapshots, and machine information.
It also steals cookies and credentials from FTP clients. BushidoToken, a security researcher, discovered previously unknown infostealers, including Titan Stealer, through a Shodan Dork. With data breaches often resulting from stolen login credentials, staying updated on the latest infostealer threats is crucial for enhancing your company’s security posture.
ThirdEye: A Threat in Development
Researchers at Fortinet, recently uncovered a fresh infostealer in June 2023. Despite not being branded as particularly advanced, ThirdEye holds the potential to inflict notable damage. The malware generally arrives through PDF and Excel files camouflaged as authentic documents.
The unsuspecting user who opens one of these deceptive files inadvertently sets the stage for ThirdEye’s installation on their system, which consequently initiates data harvesting. The Fortinet research team surmises that ThirdEye is a work in progress, predicting an inevitable increase in its sophistication.
In conclusion, the ever-evolving landscape of infostealer malware continues to pose a significant threat to cybersecurity. These insidious tools exploit a variety of delivery channels, from deceptive email attachments to compromised software downloads, and employ sophisticated tactics to stealthily exfiltrate sensitive data. Stolen credentials, a primary outcome of infostealer attacks, have been a leading cause of data breaches, underscoring the financial repercussions of these incidents.
Recent additions to the infostealer family, such as Aurora Stealer, DUCKTAIL, Lilithbot, ZingoStealer, RisePro, Mars Stealer, Titan Stealer, and ThirdEye, each bring their distinctive capabilities and modus operandi to the forefront.
As the infostealer landscape evolves, staying informed about these emerging threats remains paramount for bolstering organizational cybersecurity.
