What is stealer malware?
And what do people want with my credentials?
Hello and welcome back to my blog. As I am currently writing a series of Blog Posts on the RedLine Infostealer, I thought it might be a good idea to write a rather non-technical post describing what stealer malware is and why it is a lucrative business to use them, if you are a criminal.
A stealer is a type of malware, that tries to steal as many credentials as possible from a victims system. Credentials being any piece of information that can be used or abused to access an external or internal system or service. This includes but is not limited to:
- your combinations of e-mail addresses, usernames and passwords
- your credit card information
- your social media tokens (e.g. to access Discord)
- your cryptocurrency wallets and keys
- your authentication methods for remote access tools (e.g. SSH, RDP, Telnet)
- the cookies stored in your browser
- your browsing history
But why would someone want all this information ?What can an attacker do with them? Especially as there are so many different types of credentials and online services?
The easiest answer is “money”.
In cyber-crime ecosystem, threat actors are not working alone anymore.
There is a bunch of different attackers specializing in different types of crime. This means that the person stealing your PayPal money or sending spam with your compromised mail account doesn’t necessarily need to be the same person that sent you the malware or phishing mail that was used to obtain these credentials in the first place. In fact, there is a whole network of cyber-criminals trading different stolen goods, which others then use at their own needs. And one of the most important goods are compromised credentials.
And you would be surprised how cheap it is to buy some of them.
So how are your credentials used once they land in the hand of the right threat actor ? Well, here are some examples:
Cheap streaming accounts for willing customers.
People have always wanted to save money. And while most of them are probably just streaming their stuff for free on piracy websites, some are buying actual accounts for cheap prices on the internet.
Probably because they want to enjoy the comfort of not having to watch all the annoying adds or having the rather beautiful web interface of a legitimate streaming service. So where a demand is, there is a market for it.
Depending on where you look and what you need, you can get some streaming accounts for as cheap as 0.03 $ a piece, as you can see in the picture below.
This also applies to many other stolen accounts, for example the ones belonging to games or online game stores.
There are also some accounts which are valuable for further crime.
For example there is currently a huge market involving stolen Spotify accounts, which in turn are abused for creating fake clicks on Spotify songs to fraudulently increase the songs popularity and thereby revenue. The same can also be done with other online services like Twitch, YouTube or social media.
A great article on “Spotify botting” was released here. And even if the people in that article state they didn’t use stolen accounts for their works, others certainly do.
Another known area of crime focusing on compromised credentials involves the type of accounts holding real money. PayPal-accounts, Bank-accounts or even cryptocurrency wallets can all be emptied out once you got their credentials. This means a kind of direct income to the criminals involved.
In some occasions you can also find criminals selling account access at a really high value. These accounts often include those that can be abused to access very important targets.
With the current Ransomware wave these got even more valuable. Because just buying a compromised VPN or Remote Access account of a high value company and then deploying your Ransomware is sometimes way easier then trying to find a vulnerability in their network.
And besides there is always the possibility to abuse compromised accounts for spam or phishing and generate money through that, like it happened to me.
As you can see, there are a lot of ways to abuse stolen or otherwise compromised credentials and generate income through this.
And the result is a whole malware strain just focusing on stealing them.
If you just think about it, most if not all of your credentials are somewhere on your personal computer. Which in turn means they can be found and extracted automatically by a program without being manually collected.
So the only work a criminal needs to do is sending you a file and selling your credentials afterwards. And that can be very lucrative.
Currently the most known malware families which can be categorized as (Information-)stealers are:
RedLine
Vidar
Taurus
Racoon
But as malware strains are a temporary thing, I am sure there will be new and different once in the future.
Stay tuned for my second article in the RedLine Stealer Investigation Series where we will take a deep dive into RedLine Stealer and how it accomplishes its mission of stealing your credentials. If you don’t want to miss it, make sure to follow me on medium or Twitter.
