Cybercriminals are increasingly shifting from automated scam-as-a-service to more advanced info-stealer malware distributors as competition for resources increases, and they are looking for new ways to generate revenue, according to a Group-IB report.
The cybersecurity company has identified 34 Russian-speaking groups distributing information-stealing malware under the stealer-as-a-service model.
Info-stealer malware collects user credentials stored in browsers, game accounts, email services, social media, bank card details and crypto wallet information from infected computers and sends the data to the malware operator. This data is then sold or used for scams on the dark web.
The identified threat actors coordinate via Telegram groups to carry out their operations. The low entry hurdle and a fully automated process make the program popular with beginners.
“Beginners don’t need advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and route traffic to it,” Group-IB noted.
Significant malware increase in 2022
According to the Group-IB Digital Risk Protection team, Telegram groups and bots used to spread information theft first emerged in early 2021. However, a significant spike was observed in the first seven months of this year, with more than 890,000 infected devices across 111 countries. That’s nearly double the number of infected devices in 2021, when 538,000 devices were compromised.
In the first seven months of this year, threat actors stole over 50 million passwords, 2 billion cookie files, 103,150 bank card details and 113,204 crypto wallet data.
“The underground market value of the stolen logs and compromised card details alone is approximately $5.8 million,” estimates Group-IB.
PayPal and Amazon were the most affected services, with PayPal responsible for more than 16% and Amazon for more than 13% of the attacks.
However, cases of password theft for gaming services like Steam, EpicGames, and Roblox have increased nearly fivefold, the report said.
The top 5 most attacked countries are the United States, Brazil, India, Germany and Indonesia.
RedLine and Racoon Stealer were the most commonly used
Among the 34 groups studied, RedLine was the most used stealer, used by 23 groups, while the second most used tool was Racoon, used by eight groups. Custom thieves were found to have been used by three groups, Group-IB noted.
Both tools are made available to group members in exchange for a share of the stolen data or money.
“However, the malware in question is available for rent on the Dark Web for $150 to $200 per month. Some groups use 3 stealers at a time, while others only have one stealer in their arsenal,” the report reads.
On average, the 34 identified info-stealer distribution groups on Telegram have 200 active members. The group’s members’ task is to drive traffic to fraudulent websites posing as well-known companies and convince victims to download malicious files.
“Cyber criminals embed stealer download links in video reviews of popular games on YouTube, mining software or NFT files on specialized forums, and in direct communication with NFT artists, as well as in sweepstakes and lotteries on social media,” Group-IB noted Celebration.
defense against the attacks
To prevent such attacks, Group-IB recommends users to avoid downloading software from suspicious sources, use isolated virtual machines or alternative operating systems for installation, stop saving browsers’ passwords, and regularly clear browser cookies.
It also recommends organizations to take a proactive approach to digital security and use modern technologies to monitor and respond to the attacks.
Copyright © 2022 IDG Communications, Inc.