Group-IB specialists discovered 34 hack groups that are distributed by stealers. Russian-speaking attackers used them to steal passwords for Steam and Roblox game accounts, accounts from Amazon and the PayPal payment system, as well as bank card and crypto wallet data. A common feature of the groups is coordination through Telegram bots in Russian, but they attack mainly foreign users from the United States, Brazil and India.
In their report, the experts say that, while tracking the development of the Mammoth (Classiscam) fraudulent scheme popular in Russia, they drew attention to the migration of “workers” (as ordinary online crooks are called) into a more dangerous criminal scheme associated with the distribution of stealers. .
Stealers are malicious software that steals usernames and passwords from browser accounts, including those from mail services or social networks, bank card information, and information about cryptocurrency wallets from an infected computer. After a successful attack, attackers, as a rule, go in two ways: either they "withdraw" the money themselves, thanks to the stolen data, or they sell the information they have stolen on shady forms. According to Group-IB experts, stealers are one of the most serious threats in 2022.
According to the company, the first mass Telegram groups and bots created to distribute stealers began to appear in early 2021. Checking some accounts confirmed the version that members of several fraudulent groups that previously specialized in the Mammoth scheme began to work with stealers.
So, in 2021-2022, experts identified 34 active Russian-speaking groups in Telegram. Ten of them are the largest - each of them accounted for more than 30,000 “rejections”, that is, messages from the stealer that the operator receives from the infected machine. On average, each group consists of about 200 participants.
Switching from fraud to mailing stealers, the attackers not only copied the hierarchy, model, but also the technical developments of Mammoth. First of all, we are talking about special Telegram bots that generate malicious content, communication between participants and all their shadow accounting. The tasks of “workers” have also changed: now they must drive traffic to the bait site and force the victim to download a malicious file.
The link to download stealers is most often “sewn up” by cybercriminals into video reviews of popular games on YouTube, mining software or NTF files on specialized forums, drawings and lotteries on social networks. Group-IB estimates that over the 10 months of 2021 (from the start of the study on March 1 to December 31), users downloaded more than 538,000 stealers to their computers. This year, the situation has worsened: in the first seven months of 2022 (January 1 to August 1), users downloaded more than 890,000 stealers.
The most popular stealer among the studied groups is RedLine - it was used by 23 out of 34 teams. Racoon is in second place - it is in service in 8 teams. Another 3 communities used self-written stealers.
Administrators typically provided their workers with both Redline and Racoon for free in exchange for a share of the stolen data or a monetary reward, although Redline and Racoon stealers are rented on the black market for $150-$200 a month. In some groups, three stealers are used at once, and in some - only one.
According to analysts, PayPal (more than 25%) and Amazon (more than 18%) were among the most frequently attacked services in 2021. In 2022, PayPal (over 16%) and Amazon (over 13%) are still leading. However, over the year, cases of receiving passwords from game services (Steam, EpicGames, Roblox) in the logs have increased almost fivefold.
The most attacked countries in 2022 were the United States, Brazil and India. Russia is gradually dropping out of the list of crooks' priorities: if in 2021 Russia ranked 15th in terms of the number of users whose passwords were stolen using stealers, then in the first seven months of this year, the Russian Federation ranked 95th.
In total, over the ten months of 2021, according to analysts, attackers from the studied groups received 538,982 logs, 27,875,879 passwords, 1,215,532,572 cookies, 56,779 card data, and 35,791 crypto wallet data. In the first seven months of 2022, they have already stolen 896,148 logs, 50,352,518 passwords, 2,117,626,523 cookies, 103,150 card data, and 113,204 crypto wallet data. By selling only logs and card data on the shadow market, the attackers, according to experts, could earn about 350 million rubles or 5.8 million US dollars.
In their report, the experts say that, while tracking the development of the Mammoth (Classiscam) fraudulent scheme popular in Russia, they drew attention to the migration of “workers” (as ordinary online crooks are called) into a more dangerous criminal scheme associated with the distribution of stealers. .
Stealers are malicious software that steals usernames and passwords from browser accounts, including those from mail services or social networks, bank card information, and information about cryptocurrency wallets from an infected computer. After a successful attack, attackers, as a rule, go in two ways: either they "withdraw" the money themselves, thanks to the stolen data, or they sell the information they have stolen on shady forms. According to Group-IB experts, stealers are one of the most serious threats in 2022.
According to the company, the first mass Telegram groups and bots created to distribute stealers began to appear in early 2021. Checking some accounts confirmed the version that members of several fraudulent groups that previously specialized in the Mammoth scheme began to work with stealers.
So, in 2021-2022, experts identified 34 active Russian-speaking groups in Telegram. Ten of them are the largest - each of them accounted for more than 30,000 “rejections”, that is, messages from the stealer that the operator receives from the infected machine. On average, each group consists of about 200 participants.
Switching from fraud to mailing stealers, the attackers not only copied the hierarchy, model, but also the technical developments of Mammoth. First of all, we are talking about special Telegram bots that generate malicious content, communication between participants and all their shadow accounting. The tasks of “workers” have also changed: now they must drive traffic to the bait site and force the victim to download a malicious file.
The link to download stealers is most often “sewn up” by cybercriminals into video reviews of popular games on YouTube, mining software or NTF files on specialized forums, drawings and lotteries on social networks. Group-IB estimates that over the 10 months of 2021 (from the start of the study on March 1 to December 31), users downloaded more than 538,000 stealers to their computers. This year, the situation has worsened: in the first seven months of 2022 (January 1 to August 1), users downloaded more than 890,000 stealers.
The most popular stealer among the studied groups is RedLine - it was used by 23 out of 34 teams. Racoon is in second place - it is in service in 8 teams. Another 3 communities used self-written stealers.
Administrators typically provided their workers with both Redline and Racoon for free in exchange for a share of the stolen data or a monetary reward, although Redline and Racoon stealers are rented on the black market for $150-$200 a month. In some groups, three stealers are used at once, and in some - only one.
According to analysts, PayPal (more than 25%) and Amazon (more than 18%) were among the most frequently attacked services in 2021. In 2022, PayPal (over 16%) and Amazon (over 13%) are still leading. However, over the year, cases of receiving passwords from game services (Steam, EpicGames, Roblox) in the logs have increased almost fivefold.
The most attacked countries in 2022 were the United States, Brazil and India. Russia is gradually dropping out of the list of crooks' priorities: if in 2021 Russia ranked 15th in terms of the number of users whose passwords were stolen using stealers, then in the first seven months of this year, the Russian Federation ranked 95th.
In total, over the ten months of 2021, according to analysts, attackers from the studied groups received 538,982 logs, 27,875,879 passwords, 1,215,532,572 cookies, 56,779 card data, and 35,791 crypto wallet data. In the first seven months of 2022, they have already stolen 896,148 logs, 50,352,518 passwords, 2,117,626,523 cookies, 103,150 card data, and 113,204 crypto wallet data. By selling only logs and card data on the shadow market, the attackers, according to experts, could earn about 350 million rubles or 5.8 million US dollars.
