Common credential stealers

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers.
The most common types of stealers are those that collect login information, such as usernames and passwords.

Vidar:
Vidar is an information stealer trojan that was first identified in December 2018.
Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems.
Vidar can be purchased on its “official” website by cyber criminals.
Key features include:
the Vidar trojan analysis, malware is written in the C++ programming language.
Capable of stealing text files in multiple formats, browser cookies and history, and browser records, including data from TOR
Capable of auto-filling value information, including banking and credit card details.
Vidar is also known to be able to steal digital coins from offline wallets.
In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by malware.
The malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.
Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days.
The malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Racoon:
Raccoon is an info stealer type malware available as Malware as a Service.
It can be obtained for a subscription.
Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.
Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular.
In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities.
Key features include
The stealer is written in C/C++ and can run on 32-bit and 64-bit systems without .NET dependencies
Has a very simple format and the stealer itself lacks any kind of antivirus protection.
Depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers.
The stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.
After the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers’ server

Redline:
The malware appeared in March 2020.
Since then RedLine has just gained steam.
It was on the rise during the COVID-19 pandemic and is still active.
On July 1st, 2021 the malware was found on a legit-looking website that provides privacy tools.
RedLine Stealer is available on underground forums for sale apparently as a standalone or also on a subscription basis.
Redline stealer is distributed via social engineering for different email campaigns including business email compromise, spam, fake updates, and ads in Google resulting in malicious attachments or links.
Key features include:
This malware is a .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it.
Capable of stealing information about users from browsers, systems instant messaging, and file transfer protocol clients.
Primarily targets passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc.
The virus is also capable of stealing cryptocurrency.
The malware can be used to deliver ransomware, RAT s, trojans, and miners.

Taurus:
Since April 2020, the C/C++ information-stealing virus known as Taurus Stealer, commonly referred to as Taurus or Taurus Project, has been active in the wild.
The initial attack vector often begins with a malspam campaign that disseminates a malicious attachment, while the Fallout Exploit Kit has also been observed doing the delivery.
Capable of stealing passwords, cookies, and autofill forms along with the history of Chromium- and Gecko-based browsers.
Taurus can also steal some popular cryptocurrency wallets, commonly used FTP clients credentials, and email clients credentials.
Collects information, such as installed software and system configuration, and sends that information back to the attacker.
Taurus is designed to not execute in countries within the Commonwealth of Independent States (CIS)
Azurolt:

The AZORULT malware was first discovered in 2016 to be an information stealer.
It can also act as a downloader of other malware.
It was sold on Russian underground forums to collect various types of sensitive information from an infected computer.
A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establishing a Remote Desktop Protocol (RDP) connection.
Exploit kits such as Fallout Exploit Kit (EK) and phishing emails with social engineering techniques are the major infection vectors of the AZORult malware.
Other malware families such as Ramnit and Emotet also download AZORult.
Key features include:
Steals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version
Steals the following data
stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software User names passwords, and hostnames from different browsers
Bitcoin wallets – Monero and uCoin
Steam and telegram credentials
Skype chat history and messages
AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s
bank account data.
After execution, the malware is removed from the system due to the lack of a persistence.