Stealing without noise and dust: how stealers work and why they are dangerous

[Man]

Stealers are one of the most common and insidious types of viruses. They can deceive antiviruses, escape from the sandbox and delete themselves from the victim's device. At the same time, an intruder who wants to steal information does not have to be a genius hacker - it is enough to simply rent a stealer and use it for their own purposes.

In this article we will talk about how stealers work, their features and methods of protection.

How do stealers work?​

Stealers steal logins, passwords, and other information from the victim, then send that data to the attacker via the Internet. The first stealers were quite primitive and were designed to steal passwords and other personal information stored in the browser. Over time, they evolved, becoming more complex and dangerous.

Nikita Leokumovich.
Head of Digital Forensics and Cyber Intelligence Department, Angara Security.

It is worth remembering that stealers attack not only desktop PCs, but also phones, tablets, watches, smart home systems - any device that can collect, process and store data will always be an object of interest for attackers.

Modern stealers are capable of stealing data not only from browsers, but also from other applications, including instant messengers, social networks, and payment systems. For example, the stealer "(s)AINT" takes screenshots, saves all information entered from the keyboard, and also uses the webcam to take photos. And the Mystic Stealer virus, discovered in 2023, steals user data in crypto wallets and applications. Mystic Stealer can steal data from 40 browsers, including the popular Chrome, Edge, Firefox, Opera, and Vivaldi.

Oleg Skulkin.
Head of BI.ZONE Threat Intelligence.

It is difficult to say that they have undergone significant changes. Rather, there are many more of them now, including in open sources, such as GitHub. For example, some time ago we wrote about how attackers used the open source Umbral Stealer to attack Russian organizations. In addition, some stealers received extended functionality. For example, the White Snake stealer, which was used by the Scaly Wolf cluster, had backdoor functionality, allowed attackers to gain a foothold in a compromised system, download additional tools, and was even positioned by the creator as an "APT attack tool".

Another feature worth mentioning is that some developers have lifted the ban on using their malware to attack Russian companies. A great example is MetaStealer, which was used by Sticky Werewolf and Fluffy Wolf.

The stealer gets onto the user's device in various ways: when visiting infected web resources, opening malicious files from mail, etc. For example, the attackers disguised the RedLine Stealer virus as a Windows 11 update. To do this, they created a Microsoft clone site on the windows-upgraded.com domain, from which they distributed malware under the guise of an installer.

Alexander Kotov.
Head of Business Development for Information Security at Axoft.

There are many ways to “deliver” stealers, I will highlight several of them:

• Distribution via various forums and blogs. For example, via cryptocurrency mining or on gaming forums. The attacker posts a link to download special software (in the case of cryptocurrency forums) or under the guise of mods (in the case of gaming forums).
• Posting links on video hosting sites. There are several possible options here: the cybercriminal himself posts the video to the channel and attaches a malicious link to it in the comments or publishes a link in the comments to someone else's video.
• Phishing in social networks and by email. In essence, it is distributed in the same way as with forums. The fraudster searches for posts with giveaways, copies the administrator's account, and then sends out a mailing to the group's users with information about the win, which contains malware in the form of a link or attachment.
• Using exploits. The goal of a cyber attack can be to take control of a system to increase privileges, or a DoS attack to disrupt the functioning of the system.
• Installing illegitimate programs. Hackers disguise programs that include malware as legitimate ones. The user downloads and installs the program, and the stealer is installed along with it.
• Embedding web scripts into websites and advertisements. When a user visits an infected website or sees an infected advertisement, the stealer can download and install itself on the device.
• Infection via removable media. Previously a more popular form of malware distribution. The user uses unverified infected USB drives, SD cards and other removable devices.

According to the 2023 FACCT report, FormBookFormgrabber and Loki PWS stealers are the second and third most common in phishing emails.

Nikita Leokumovich.
Head of Digital Forensics and Cyber Intelligence at Angara Security.

If we are talking about companies, stealers are most often delivered via phishing, in the form of a malicious attachment. The victim receives a letter with a "CP", "Reconciliation Act" or "Instruction from the Authority" and when opened, the program is installed. An

infected website can also be a distribution method. For example, attackers create a specialized website for accountants, where you can download sample documents, promote it through advertising and cheating, and when the site begins to receive a real audience, the attackers replace the samples with malicious ones.

The development of stealers has led to the emergence of different types of stealers. For example, there are stealers that disguise themselves as legitimate applications or browser extensions to deceive the user and gain access to their data. There are also stealers that use social engineering methods to convince the user to download and run malware.

Threats and consequences of stealers​

Some stealers may not activate immediately and have a self-removal function to make it difficult to detect their presence. In this case, the user may not even know that his data has been stolen and not take any measures. The danger of stealers is also in the fact that modern viruses have learned to bypass antivirus programs and solutions, for example, EDR.

Evgeniy Pudovkin.
Technical Director of IT integrator Telecom-Birzha.

Over time, stealers began to use more complex masking methods, such as polymorphism and cryptors, which allows them to bypass antivirus systems. They can now steal not only passwords and files, but also banking data, cryptocurrency and other valuable information. Delivery methods include personalized phishing attacks and advanced social engineering techniques. Modern stealers are often part of multifunctional malware packages that include encryptors, cryptocurrency miners and remote access programs. Attackers use cryptocurrency to collect ransoms, which makes them difficult to track.

Nowadays, attackers don't have to create stealers themselves. Some of them can be purchased on the darknet as Malware as a Service and received by subscription.

The information collected with the help of stealers can be used by attackers to extort money, cause reputational damage to the company, or sell the data to third parties.

Semyon Rogachev.
Head of Incident Response Department, Bastion, a system integrator for information security.

The main difference characteristic of stealers is the constantly growing number of user programs from which they can steal various information, mainly authentication information. If a program gains significant popularity in a certain region, stealer developers adapt their software in such a way as to retain the ability to steal the data stored in it. This is due to the fairly high competition in the stealer development market.

According to information published by researchers at FACCT, the stealers RedLine and Racoon, popular among Russian-speaking cybercriminals, collect the following data:

• username;
• device name;
• list of installed software;
• equipment details;
• passwords, cookies, bank card details and cryptocurrency wallets saved in browsers.

If a user logged into their accounts on various services and social networks, such as VKontakte, Yandex, Mail.ru or Gmail, then attackers can gain access to them. They won't even need to enter a password to do this - they just need to download cookies from the browser. Stolen accounts can be used to send spam.

The Vidar stealer, first discovered in 2018 and active worldwide, is capable of collecting a wide range of sensitive data from browsers and digital wallets. It is likely a descendant or direct evolution of the Arkei trojan, which served almost the same purpose. It is also used as a downloader for ransomware. The creators of the virus sold it on the darknet and reported the following functionality:

• collecting autofill data, cookies and credit card information;
• collecting the history of web page views and downloads;
• stealing a cryptocurrency wallet address;
• intercepting message history from Telegram;
• take a screenshot;
• stealing files of a certain format.

In addition, Vidar may transfer information about installed software, recently downloaded files (in the Downloads folder), cryptocurrency wallets, auto-filled files, cookies, browser history, and files of certain formats.

Methods of protection against stealers​

To protect yourself from stealers, you need to follow basic cybersecurity rules. Here are some recommendations:

1. Do not open suspicious files in emails, especially from unknown senders.
2. Keep your software and antivirus programs up to date.
3. Do not follow questionable links or visit unreliable web resources.
4. Do not enter confidential information on sites you do not trust.
5. Use complex passwords that are unique to each service.
6. Do not download programs and applications from unverified sources.

To protect yourself from password theft, it is recommended that you do not allow your browser to remember your passwords and store them in a secure password manager.

Source