Pinochle Cybersecurity Advisory: Popularity Spikes for Information Stealer Malware on the Dark Web

"ChatGPT now enables bad actors with zero security or programming knowledge to create malicious tools along the cyber infection chain” –?Ranghan Venkatraman (CEO of Pinochle.AI)?

Information stealer (info stealer) malware—malicious software designed to steal victim information, including passwords—has become one of the most discussed malware types on the cybercriminal underground in 2022 according to Accenture’s Cyber Threat Intelligence team (ACTI). This is due to info stealers’ ability to harvest cookie data, usernames, and passwords, their cheap cost, and their availability as a malware-as-a-service offering, which allows actors with few resources or little technical knowledge to deploy the malware and access others’ networks.?

While more organizations worldwide are implementing multi-factor authentication (MFA) at an increasing rate to protect against the theft of user credentials, this protection is proving insufficient. In 2022, ACTI saw cyber threat actors successfully combine stolen credentials and social engineering to carry out high-profile breaches; the success of those breaches only further increased the demand for info stealers on the dark web. In addition, the volume of victim data included in logs for sale on underground marketplaces rose between June and October of 2022. The popularity spike in info stealers also drove underground actors to advertise on the dark web a variety of new info stealer malware variants.?

MFA Fatigue Attacks?

In 2022, the high-profile breaches of several large organizations illustrated the ease at which threat actors can breach network defenses using stolen employee credentials and leveraging MFA fatigue attacks. MFA fatigue attacks involve repeated attempts to log on to an MFA-enabled account using stolen credentials, thereby bombarding a potential victim with MFA push requests. In such scenarios, some MFA request recipients accept MFA requests to stop the requests from appearing on connected devices, unknowingly granting criminal access to the now-victims’ systems. In one such attack, threat actors also used a popular messaging app to contact victims, purporting to be the victim organization’s IT department and social engineering the victim into accepting MFA requests.?

The notorious LAPSUS$ group relied on MFA fatigue attacks for several of its operations in 2022. Microsoft investigated LAPSUS$ and concluded the group had obtained credentials by:?

• Deploying the malicious RedLine info stealer to obtain passwords and session tokens.?
• Purchasing credentials and session tokens on criminal underground forums.?
• Paying employees at targeted organizations or their suppliers and business partners for access to credentials and MFA approvals.?
• Searching public code repositories for exposed credentials.?

This group serves as just one example of real-world criminal use of info stealers in combination with MFA fatigue attacks that have contributed to the surge in popularity of info stealers and the growth of compromised credential marketplaces.?

The rise of compromised credential marketplaces?

ACTI monitors several of the most prominent compromised credential marketplaces and found a marked increase in the number of logs for sale from July to October 2022.?

Russian Market?

Access to the Russian Market site allows visitors to search for inventory by malware used, victim operating system, and victim location. This site was among the most popular markets in 2022 based on the volume of logs available for sale, with victim data sold for an average price of $10 per log. The total number of logs for sale in this market rose by nearly 40% from approximately 3.3 million to 4.5 million between July and October 2022.?

Malware?

In log advertisements, Russian Market vendors include the malware they used to obtain credentials for sale. So far in 2022, RedLine, Raccoon Stealer, Vidar, Taurus, and AZORult are the five info stealers actors have used to obtain the logs on Russian Market.?Between July and October 2022, RedLine remained the dominant info stealer; however, its use decreased from 56% of the total market to 48% in October 2022. Use of the popular Raccoon Stealer, on the other hand, increased from 11% to 22% between July and October 2022, coinciding with the release of Raccoon Stealer v2 on June 30, 2022.?

?

What’s next??

Shift toward private sales for quality logs?

Private log sales, which are common on dark web forums, usually involve sellers fostering relationships with trusted buyers who are willing to pay a little more than buyers on open marketplaces. Often, sellers offer the best logs to trusted buyers first and sell the remaining logs on the marketplace’s general pages. While ACTI expects marketplaces selling info stealer-obtained logs to continue to thrive, the ever-increasing volume of stolen data available on these forums will lead to the highest-quality logs inevitably becoming harder to find as trusted buyers begin to obtain high-value logs through private sales.?

To cater to buyers wanting high-quality logs, the operators of Russian Market added a pre-order option on the forum's Stealer Logs section in October 2022. Users with a balance of US$1,000 in their general accounts on the site can provide a list of domains they wish to target and will receive notifications of the availability of logs affecting those domains before those logs become available to the rest of the market.?

According to Ranghan Venkatraman (CEO of Pinochle.AI),?"ChatGPT now enables bad actors with zero security or programming knowledge to create malicious tools along the cyber infection chain”?

Conclusion and Mitigation?

ACTI expects the info stealer landscape to continue to evolve and pose a significant risk to organizations in 2023. Organizations should examine how they authenticate user access to their systems and consider moving away from MFA push notifications and toward number-matching MFA systems and the use of biometrics to dull the effects of info stealers. Organizations should also fully train staff on the dangers of MFA fatigue attacks, social engineering attempts, and how to secure online accounts. Monitoring of dark web sources to obtain threat intelligence on the latest tactics, techniques, and procedures relating to info stealer malware should also help get ahead of the latest threats in this sphere.?

?

Do you have a Security concern on your Enterprise? Protect your business from Cyber Security attacks.?

Pinochle.ai?insurgent mission is to harden an enterprise’s attack surface by a factor of ‘10X’??

Did we satisfy your quest for the latest in security trends and insight??

Let us know if you enjoyed reading this news on?LinkedIn, or?Twitter?We would love to hear from you!?

Speed to Security Intelligence?

If you have an incident or need additional information on ways to detect and respond to cyber threats, contact a member of our CIFR team 24/7/365 by phone at 1888-RISK-221 or e-mail?hotline@pinochle.ai?or?hotline@rezilyens.com.?