One of the most surprising statistics from the SpyCloud 2023 Annual Identity Exposure Report was that almost HALF of the compromised credentials we recaptured from the darknet last year were exfiltrated from malware-infected devices. As global malware volume reaches new heights and infostealer malware continues to play a leading role in criminal tactics, now is a good time to share more of what we’re seeing actors do with the data they’ve stolen.
Let’s Talk About Malware - The Right Way
Let’s level set with some common language that is critical to understanding malware. The term “botnet” is often used as an umbrella to describe a variety of malware, but botnets are actually active bots or beacons on endpoints sending commands that execute code, such as Emotet. While these cause a threat, and many do include some credential-stealing capabilities, the term shouldn’t be used interchangeably with the kind of malware we’re talking about: infostealers.
Infostealers steal credentials, device and session cookies, auto-fill data, and much more from infected devices. Often sold as “Malware-as-a-Service,” or MaaS, this malware type is often configured to be non-persistent, meaning it deletes itself after data is stolen from a victim’s machine. This is advantageous to bad actors because the longer malware remains persistent on a device, the higher chance that malware is found, thus, alerting the user (or their security team) to the infection. The goal is stealing data to use in targeted attacks or sell as Initial Access to a ransomware operator.
Let’s dig a layer deeper into different types of infostealers.
We’ve talked a lot about RedLine Stealer and the threat it poses, and MetaStealer is an “improved version” of RedLine that is deployed through malspam email campaigns and steals credentials and cryptocurrency wallets. Indeed, the data stolen by MetaStealer is nearly identical and we at SpyCloud have observed MetaStealer data alongside RedLine data nearly every week since its introduction to the market in March of 2022.
Other common malware variants tracked by SpyCloud include Raccoon, which, following the arrest of its developer in March 2022 was returned to regular use by criminals in June 2022, and Vidar. Within our recaptured data, Redline represents approximately 20% of all malware records collected, with Raccoon closely behind at 18%, Vidar follows behind at around 14.5% and Meta brings in about 6.4%. Combined, the top five malware variants by infections in 2022 made up approximately 60% of the total malware data collected by SpyCloud!
Usually, MaaS is referred to by the names given it by its creator or sellers. However, malware that is not publicly sold, or those that produce a similar output, or log, to malware known by another name, is assigned a more generic name by malware researchers. Whenever possible, we will attempt, both within this post and in our portal, to refer to malware by its commonly accepted name.
In the Blink of an Eye - Time is of the Essence When it Comes to Stolen Malware Data
Timeliness is critical when it comes to malware-exfiltrated data. Because the information is fresh and likely accurate, and victims are typically unaware that an infection has even occurred, bad actors are more likely to get a high ROI on the stolen data if it is put to use within days of its theft. These timelines also affect the usefulness of session tokens (or cookie data) that may have a short life depending on the expiration date of the token. Valid session cookies enable easy account takeover since neither credentials nor MFA are needed to access an active session. Cookies are a hot commodity on the darknet – last year alone SpyCloud recaptured 22 billion device and session cookies, which should be a cause for concern for enterprises since they can be used to gain unfettered access to corporate networks.
The average time this malware takes to execute and delete itself ranges greatly from variant to variant, but most infections take only a few seconds to run their course. However, as malware continues to advance in sophistication, that timeframe can shorten. Case in point: based on our observations, one recent malware strain whose logs have begun being traded on criminal forums and messaging platforms, 420Stealer, takes only around half a second to execute, package, and exfiltrate data from the victim’s device, before disappearing.
The amount of time malware takes to execute, while important, is just one time-based factor in this equation. Another factor to consider is the amount of time it takes for the stolen information to make it onto the darknet to be traded or sold. Our research suggests that 24 hours to seven days post-infection is the timeframe when the data is most heavily used. We also see a spike at the 90-day mark, potentially corresponding with so-called Red Flag Rules, which often include a waiting time where accounts flagged or frozen for fraud must be reopened after a certain number of days so as to allow the customer access to their funds. Once stolen, the data is used and reused, going from original bad actor to reseller to another reseller and so on.
Darknet Marketplace Seized by FBI
Genesis Marketplace is an underground bot store established in 2018 that claims to sell “bots with logs, cookies, and their real [browser] fingerprints.” According to our research, there were more than 430,000 stolen identities for sale on Genesis Marketplace early last year. Recently, the FBI seized the marketplace’s domain and authorities around the world are serving arrest warrants for individuals associated with the site. The takedown of Genesis Marketplace is an example of global law enforcement’s commitment to fighting malware-related cybercrime.
The Curious Case of Malware Screenshots
When it comes to malware data, one common question we hear from our customers is: “why does malware take screenshots?” Just about every modern infostealer takes a picture of the victim’s desktop shortly after execution – a legitimate curiosity to some.
The practice of taking a screenshot at the moment of infection gives bad actors several insights into the victim’s device. The first, and perhaps most obvious, is regarding the initial access vector: criminals deploying malware may have multiple ruses or schemes to get someone to download and execute their malware. Did the victim click a malicious link in a phishing email? Was the malware launched through a faux gaming cheat offer? Did the victim think they were downloading a cracked version of popular software? While important, an oft-overlooked purpose of the screenshot is to identify whether the victim device is in fact a victim, and not a honeypot or virtual machine (VM) operated by a researcher with little in the way of personalization – like installed non-default applications or files saved to the desktop – that would be expected on a legitimate computer.
Regarding the former, from analyzing millions of screenshots extracted from infostealer logs, we have found that the majority of screenshots have one thing in common: the user was on YouTube viewing a video about a cheat or add-on for a popular game, and downloaded something they believed would give them a competitive advantage or make their in-game character “look cool.”
No matter the point, the practice of screenshotting a victim’s desktop is quite an invasive tactic in an attack that already feels so unsettling.
How to Properly Remediate Malware
When the inevitable infection happens, it’s critical to take additional steps to address the full picture of an infection. Removing the malware and wiping the device should remediate the active infection, but if you don’t take into account the data and credentials that were siphoned by the malware, the threat to yourself and your enterprise will persist.
Because infostealers siphon authentication data including target URLs, usernames, passwords, and session tokens, that information has to be invalidated in order to resecure the affected accounts. After removing the malware, passwords need to be changed, and sessions need to be invalidated to ensure that attackers can’t access the applications to steal data or move laterally and escalate privileges to perpetrate further attacks (including ransomware).
To address malware infections beyond the device, we recommend Post-Infection Remediation. This is a series of additional steps to typical malware incident response and is designed to negate opportunities for follow-on attacks. Adding Post-Infection Remediation to your SOC playbook helps close critical gaps in your security framework and reduces the risk that a malware infection becomes a full-blown, high-severity security incident
As bad actors evolve their tactics, SpyCloud continues to empower our customers to stay steps ahead. Our security research team is recapturing ever-increasing amounts of third-party breach and malware-exfiltrated data and automating protective action that keeps enterprises safe from attacks that leverage this stolen data.