Tag Archive for: stealer

Threat Spotlight: Stealer Logs & Corporate Access


Executive Overview

Over the last three years, infostealer malware variants have become a “popular trend” in the cybercriminal Malware-as-a-Service (MaaS) ecosystem. Doing precisely as their category implies, these malware variants steal information from users’ devices. After infecting the device, the malware employs various techniques to remain undetected while sending data to the malicious actors’ command and control infrastructure. 

To understand the threat infostealer malware poses, we examined more than 19.6 million stealer logs to identify trends like:

  • Number of infections containing corporate credentials
  • Average price of infostealers with banking access
  • Prominent consumer applications appearing in the logs

Read our full report, Stealer Logs & Corporate Access, or continue reading for the highlights. 

The Details

Analyzing more than 19.6 million stealer logs showed trends that indicate malicious actors value access to corporate resources and financial services accounts. Based on the findings, malicious actors appear to use infostealer malware so that they don’t have to purchase a consumer application subscription or so they can steal money by compromising a bank account. 

At a high level, the research found the following about stealer logs:

  • 376,107 (1.91%): access to corporate SaaS applications
  • 48,173:  access to a resource that includes a single sign on credential representing almost certain access to corporate resources
  • 200,000 (1%): access to leading AI provider credentials

(Note, these are from users of the applications being compromised with infostealer malware. We have no reason to believe that these organizations themselves have suffered a security incident or breach) 

Meanwhile, looking at infostealer logs through the eyes of the consumer, the data shows:

  • 46.9% had access to Gmail credentials
  • $112: average cost of financial services-related logs compared to $15 across all log sales

We collected data from four primary sources:

  • Public Telegram “logs” channels: “free samples” of primarily consumer application access logs used to advertise the paid Telegram rooms
  • Private Telegram channels: invitation-only, paid channels with higher-value logs

Source…

How the ZeuS Trojan Info Stealer Changed Cybersecurity


Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data.

Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The stolen information is then exfiltrated to the attacker’s command-and-control (C2) server for further exploitation.

Information stealer malware has flourished on underground criminal networks. With extortion currently thriving, info stealer malware is also on the rise. Plus, info stealer services for financial fraud attacks are available on the dark web for as little as $200 per month. 

Though this type of malware has been around in some form for over two decades, the ZeuS trojan was by far one of the most influential info stealers in that timeframe. Let’s take a look at the history of info stealers, and how this type of threat impacted cybersecurity then and now.

What Was the First Info Stealer?

One of the earliest known examples of a successful information stealer attack was the Melissa virus in 1999. One of the first highly successful email worms, Melissa spread rapidly through the use of infected Microsoft Word macros. The worm arrived in the form of an email with an attached document named “list.doc.” 

When the recipient opened the attachment, the worm infected the victim’s computer and continued to spread. It replicated itself by sending infected emails to the first 50 contacts in the victim’s Microsoft Outlook address book. Experts categorize Melissa as an info stealer because, in addition to its worm-like behavior, it also accessed the victim’s email address book and harvested email addresses. 

Harvesting information from the infected computer is a hallmark of info stealer malware. However, it’s worth noting that Melissa was primarily a self-replicating worm. The information-stealing capability was a secondary…

Source…

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads


Mar 11, 2023Ravie LakshmananCyber Threat Intelligence

BATLOADER Malware

The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif.

According to cybersecurity company eSentire, malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.

BATLOADER, as the name suggests, is a loader that’s responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware.

One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery.

This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page.

Vidar Stealer and Ursnif Payloads

These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve the next-stage malware from a remote server.

This modus operandi marks a slight shift from the previous attack chains observed in December 2022, when the MSI installer packages were used to run PowerShell scripts to download the stealer malware.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Other BATLOADER samples analyzed by eSentire have also revealed added capabilities that allow the malware to establish entrenched access to enterprise networks.

“BATLOADER continues to see changes and improvement since it first emerged in 2022,” eSentire said.

“BATLOADER targets various popular applications for impersonation. This is no accident, as these applications are commonly found in business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard intrusions.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source...


[the_ad_group id="27628"]

“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”


Key takeaways

  • “RisePro” is a stealer malware that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022. 
  • RisePro’s presence on Russian Market may indicate its growing popularity within the threat actor community. 
  • Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year. 
  • The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor’s confidence in the stealer’s abilities.
  • RisePro appears to be a clone of the stealer malware “Vidar.”

RisePro logs on Russian Market

“RisePro” is a newly identified stealer written in C++ that appears to possess similar functionality to the stealer malware “Vidar.” RisePro targets potentially sensitive information on infected machines and attempts to exfiltrate it in the form of logs. 

Flashpoint first identified RisePro on December 13, 2022 after analysts identified several sets of logs uploaded to the illicit underground market Russian Market, which listed their source as “risepro.” 
Russian Market is a log shop similar to other log markets, such as Genesis, in which threat actors can upload and sell logs collected from stealers. At the time of writing, Russian Market has featured over 2,000 logs allegedly sourced from RisePro.

RisePro stealer logs appear on Russian Market. The earliest recorded upload of logs using RisePro occurred on December 12, 2022. (Source: Flashpoint)

We have identified malicious samples that appear to be related to RisePro based on identifying strings in the samples. During investigations of open source intelligence, such as open source sandbox analyses from other security researchers, our analysts identified several samples of RisePro that were dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader.” 

PrivateLoader allows threat actors to buy the ability to have it download malicious payloads onto infected systems. Pay-per-install services are not a novel business model for threat actors operating botnets. Flashpoint analysts…

Source…