Russian hackers use Infostealer malware to steal 50 million passwords from 111 countries

Group-IB discovered nearly three dozen groups of Russian hackers distributing Infostealer malware under the stealer-as-a-service model. An infostealer is a variant of malware that collects login credentials, payment card numbers, and crypto wallet credentials stored in browsers and sends them to attackers-controlled servers.

According to the researchers, the threat groups infected 890,000 user devices with infostealers and obtained 50 million passwords within the first seven months of 2022. This figure represents an 80% increase over the previous period.

In addition, threat actors also exfiltrated 2,117,626,523 cookie files (+74%), 113,204 crypto wallets (+216%), and 103,150 credit cards (+81%).

Russian hackers use Raccoon and Redline Infostealer malware to steal stored credentials

Group-IB’s Digital Risk Protection Team found that 34 groups of Russian hackers deployed Raccoon and Redline Infostealer malware to collect Steam, Roblox, Amazon, PayPal passwords and crypto wallet and credit card information. PayPal and Amazon are the hardest hit, with 16% and 13% of stolen data coming from the two internet giants, respectively.

In addition, the report found that Russian hackers coordinated their hacking activities in Russian-language Telegram groups with an average of 200 active members, mostly low-level actors previously involved with Classiscam.

Although Russian is used as the language of communication, they target victims in 111 countries, mostly in the United States, Brazil, India, Germany and Indonesia.

The most popular infostealer malware used by Russian hackers

Group-IB researchers ranked Redline as the most popular malware, with 23 out of 34 groups using the variant. Raccoon infostealer malware was by far the secondary, being used by only eight groups, while custom infostealers only have three dedicated groups.

However, group admins provide both Redline and Raccoon info-stealers to their employees and demand a share of the stolen data or profits. Some groups use up to three Infostealer malware variants, while others only have one.

Cybercrime operatives can borrow malware from the dark web for as little as $150-$200 a month.

A low barrier to entry encouraged the proliferation of Infostealer malware

Group-IB researchers explained that the influx of cybercriminals into Classiscam with thousands of criminals forced threat actors to find more ways to monetize cybercrime, which led to the proliferation of Infostealer malware. Additionally, the team blamed the low barrier to entry for the increase in use of Infostealer malware.

“Beginners don’t need advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and direct traffic to it,” they wrote. “However, for victims whose computers are infected by a stealer, the consequences can be catastrophic.”

Russian hackers have built hierarchies after graduating from Classiscam, a practice visible even in their technological prowess. For example, the coordination process is highly automated, with bots generating malicious content, communicating between members, and doing accounting tasks on their behalf.

Nonetheless, the “workers” still perform low-level tasks such as B. Routing traffic to malicious websites to proliferate malware using various techniques such as social media posts, YouTube videos, and infected files. This process includes adding malicious links to YouTube video reviews, fake gambling games and lotteries on social media, and various NFT files to trick victims into downloading Infostealer malware. The links usually direct victims to fake websites that impersonate popular brands in order to gain victims’ trust and increase chances of downloading malware.

Once successful, Russian hackers sell the stolen credentials to dark web marketplaces for a profit. Group-IB estimated the market value of stolen logs and credit card data at approximately $5.8 million.

Group-IB researchers encouraged users who store passwords in browsers to refrain from doing so. In addition, they should regularly clear their browser cookies and avoid downloading and installing suspicious software.

Russian #hackers stole 50 million passwords from popular online services like PayPal, Amazon, Roblox, Steam and #cryptowallets by installing #infostealer #malware on users’ devices. #cybersecurity #respect dataClick to tweet

“This type of malware is often delivered via infected Office documents that launch PowerShell scripts and shows why behavioral threat intelligence is so important to organizations,” noted Shawn Surber, VP of Solutions Architecture and Strategy at Tanium.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button