Security researchers at SafeBreach discovered a method to collect millions of stolen user credentials through Google’s malware analysis platform, VirusTotal without compromising any organizations.
According to the researchers, an attacker only needs a €600 ($679) license to access VirusTotal’s premium tools and APIs such as VirusTotal Graph and retrohunt to access stolen user credentials.
Named “VirusTotal hacking,” the infection-free approach is similar to “Google hacking,” a method used by criminals to identify vulnerable systems, installed web shells, and IoT devices.
To test their theory, SafeBreach researchers managed to collect 1,000,000 credentials from the platform within a few days.
Attackers can collect unlimited stolen user credentials on VirusTotal with little effort
The researchers called it the perfect cybercrime because an attacker using this method can gather an almost unlimited number of sensitive user data with little effort. Additionally, the victims cannot easily protect themselves from this type of activity because they have no visibility into the exfiltrated files.
Third-parties such as security researchers, hosting companies housing the hacker’s command-and-control (C2) servers, and cybercriminals unknowingly upload stolen user credentials to VirusTotal.
Tomer Bar, Director of Security Research at SafeBreach, also suggested that hackers upload victims’ data on VirusTotal while promoting the sale of stolen user credentials on underground forums. According to Bar, accessing these stolen user credentials on VirusTotal was a walk in the park.
“It is quite a straightforward technique, which doesn’t require strong understanding in malware,” Bar said. “All you need is to choose one of the most common info stealers and read about it online.”
Attackers only need to know various tools used by cybercriminals to steal information and the files they use to upload stolen user credentials on C2 servers. Additionally, having access to various underground hacking forums like DrDark and Snatch_Cloud comes in handy when searching on VirusTotal.
Researchers demonstrated how stolen user credentials are acquired
The researchers successfully demonstrated how to access an unlimited number of records from VirusTotal. They searched for data leaked via RedLine Stealer, Azorult, Racoon Stealer, and Hawkeye.
RedLine Stealer is a subscription-based malware capable of harvesting saved credentials, credit cards, and auto-complete data from browsers. The malware also takes inventory of the host computer recording the device information and configuration, including geographical location, installed software, and other information.
The researchers received at least 800 results for RedLine variants detected as ‘engines:MSIL.Trojan-Stealer.Redline.B.’ They searched for the ‘DomainDetects.txt’ file used to upload data, and found results tagged ‘content:DomainDetects.txt tag:zip’.
Using VirusTotal tools, they discovered that the zipped file contained another RAR file (TG @BitPapaFREELOGS 08.2021 500 PIECES.rar) with 22,715 passwords from 500 victims.
BitPapa is the name of a Russian cryptocurrency market and also a telegram channel. The researchers suggested that the files were deliberately uploaded to VirusTotal.
They also found another 200 MB file with the filename containing “bitpapa.” The file contained 46,952 passwords from 1,000 victims.
Other discoveries include data from 34 victims, including cryptocurrency information; and 800 passwords, including 30 from government URLs, with 40 victims from the Ministry of Health.
The researchers repeated the process with Azorult and searched for the exfiltration file named ‘YandexBrowser_Default.txt’. The search returned 162 results containing CV files, credentials from social media sites Facebook and Snapchat, Apple, and Australian government accounts.
They found the “Новая папка” file containing 136,000 passwords from 1,000 victims, including credentials from 1,300 government sites from 48 countries. The data included credentials from 30 tax authorities like the IRS from the USA, UK, India, and other countries.
Similarly, the researchers recovered at least 96,000 stolen user credentials through Raccoon Stealer, including partially encrypted files and at least 200 victims from HawkEye.
Additionally, the researchers discovered files offered on DrDark and Snatch_Cloud underground forums through VirusTotal search.
“These activities are carried out on the regular web,” they wrote. “There is no need for dark web access—these individuals are not hiding themselves.”
The researchers submitted their research findings, files containing personal data, and the implicated API keys to Google. The recommended periodically searching and removing sensitive data from VirusTotal and banning API tokens used to upload stolen user credentials.
Nasser Fattah, North America Steering Committee Chair at Shared Assessments, observed that, “Cybercriminals typically enrich leaked and stolen credentials (the common user ID and password) with date-of-birth, phone numbers, security questions, including answers, and other relevant information that can be easily used for identity theft and account takeover – both with the intent to commit fraud. Note many of these leaked/stolen credentials stem from third-party breaches and rely on people reusing the same password to authenticate to multiple sites. Why bother with brute force attacks and cracking passwords when active, valid credentials can be bought in lots.”
“Note many of these leaked/stolen credentials stem from third-party breaches and rely on people reusing the same password to authenticate to multiple sites,” Fattah continued. “Why bother with brute force attacks and cracking passwords when active, valid credentials can be bought in lots.”