Group-IB discovered nearly three dozen groups of Russian hackers spreading infostealer malware under the stealer-as-a-service model. An infostealer is a malware variant that harvests credentials stored in browsers, payment card numbers, and crypto wallet credentials and sends them to threat actor-controlled servers.
According to the researchers, the threat groups infected 890,000 user devices with infostealers, obtaining 50 million passwords within the first seven months of 2022. This figure represents an 80% increase from the previous period.
Additionally, threat actors also exfiltrated 2,117,626,523 cookie files (+74%), 113,204 crypto wallets (+216%), and 103,150 credit cards (+81%).
Russian hackers use Raccoon and Redline infostealer malware to harvest saved credentials
Group-IB’s digital risk protection team found that 34 groups of Russian hackers deployed Raccoon and Redline infostealer malware to collect passwords from Steam, Roblox, Amazon, PayPal, and crypto wallet and credit card information. PayPal and Amazon are the most targeted, with 16% and 13% of stolen data originating from the two internet giants.
Additionally, the report found that Russian hackers coordinated their hacking activities on Russian-speaking Telegram groups with an average of 200 active members, mostly low-level actors previously involved in Classiscam.
Despite using Russian as the communication language, they target victims in 111 countries, mostly the United States, Brazil, India, Germany, and Indonesia.
Most popular infostealer malware used by Russian hackers
Group-IB researchers ranked Redline as the most-popular malware, with 23 of 34 groups using the variant. Raccoon infostealer malware was a distant second, with only eight groups using it, while custom info stealers have only three dedicated groups.
However, group administrators provide their workers with both Redline and Raccoon info stealers and claim a share of the stolen data or profits. Some groups use up to three infostealer malware variants, while others have just one.
Cybercrime workers can rent malware from the dark web for only $150-200 monthly.
A low barrier of entry encouraged the proliferation of infostealer malware
Group-IB researchers explained that the influx of cybercriminals in Classiscam, with thousands of criminals, had forced threat actors to invent more ways to earn money through cybercrime, leading to the proliferation of infostealer malware. Additionally, the team blamed the low barrier of entry for the increase in infostealer malware deployment.
“Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it, they wrote. “For victims whose computers become infected with a stealer, however, the consequences can be disastrous.”
Russian hackers have established hierarchies after graduating from Classiscam, a practice visible even in their technological prowess. For example, the coordination process is highly automated, with bots generating malicious content, communicating between members, and completing accounting tasks on their behalf.
Nevertheless, the “workers” still perform low-level tasks such as driving traffic to malicious sites to spread malware using various techniques such as social media posts, YouTube videos, and infected files. This process includes adding malicious links on YouTube video reviews, fake lucky draws and lotteries on social media, and various NFT files to lure victims into downloading infostealer malware. The links usually direct victims to fake websites impersonating popular brands to earn the victims’ trust and increase the likelihood of downloading malware.
Once successful, Russian hackers sell the stolen credentials to dark web marketplaces at a profit. Group-IB estimated that the market value of stolen logs and credit card details was approximately $5.8 million.
Group-IB researchers encouraged users who save passwords in browsers to refrain from the practice. Additionally, they should regularly clean their browser cookies and avoid downloading and installing suspicious software.
“This type of malware is often delivered through infected Office documents that launch PowerShell scripts, and illustrates why behavior-based threat intelligence is so important to organizations,” noted Shawn Surber, VP of Solutions Architecture and Strategy at Tanium.