Common credential stealers

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers.
The most common types of stealers are those that collect login information, such as usernames and passwords.

Vidar:
Vidar is an information stealer trojan that was first identified in December 2018.
Named after the god of vengeance from Scandinavian mythology, Vidar is used to steal information from infected systems.
Vidar can be purchased on its “official” website by cyber criminals.
Key features include:
the Vidar trojan analysis, malware is written in the C++ programming language.
Capable of stealing text files in multiple formats, browser cookies and history, and browser records, including data from TOR
Capable of auto-filling value information, including banking and credit card details.
Vidar is also known to be able to steal digital coins from offline wallets.
In fact, holders of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in potential danger, as these are the cryptocurrencies currently supported by malware.
The malware can search for cryptocurrency wallet information, take screenshots and act as a message stealer, recording private messages from various software.
Vidar data stealer uses domain names to search for C&C servers, where stolen data is being dropped, changing every four days.
The malware archives it and sends the stolen data to a control server, after which Vidar removes traces of its work and deletes itself from the system.

Racoon:
Raccoon is an info stealer type malware available as Malware as a Service.
It can be obtained for a subscription.
Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.
Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular.
In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities.
Key features include
The stealer is written in C/C++ and can run on 32-bit and 64-bit systems without .NET dependencies
Has a very simple format and the stealer itself lacks any kind of antivirus protection.
Depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers.
The stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.
After the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers’ server

Redline:
The malware appeared in March 2020.
Since then RedLine has just gained steam.
It was on the rise during the COVID-19 pandemic and is still active.
On July 1st, 2021 the malware was found on a legit-looking website that provides privacy tools.
RedLine Stealer is available on underground forums for sale apparently as a standalone or also on a subscription basis.
Redline stealer is distributed via social engineering for different email campaigns including business email compromise, spam, fake updates, and ads in Google resulting in malicious attachments or links.
Key features include:
This malware is a .Net malware written in C# and the code quality is high enough to reveal an experienced programmer behind it.
Capable of stealing information about users from browsers, systems instant messaging, and file transfer protocol clients.
Primarily targets passwords, credit card information, username, location, autofill data, cookies, software set, and even hardware configuration like keyboard layout, UAC settings, etc.
The virus is also capable of stealing cryptocurrency.
The malware can be used to deliver ransomware, RAT s, trojans, and miners.

Taurus:
Since April 2020, the C/C++ information-stealing virus known as Taurus Stealer, commonly referred to as Taurus or Taurus Project, has been active in the wild.
The initial attack vector often begins with a malspam campaign that disseminates a malicious attachment, while the Fallout Exploit Kit has also been observed doing the delivery.
Capable of stealing passwords, cookies, and autofill forms along with the history of Chromium- and Gecko-based browsers.
Taurus can also steal some popular cryptocurrency wallets, commonly used FTP clients credentials, and email clients credentials.
Collects information, such as installed software and system configuration, and sends that information back to the attacker.
Taurus is designed to not execute in countries within the Commonwealth of Independent States (CIS)
Azurolt:

The AZORULT malware was first discovered in 2016 to be an information stealer.
It can also act as a downloader of other malware.
It was sold on Russian underground forums to collect various types of sensitive information from an infected computer.
A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establishing a Remote Desktop Protocol (RDP) connection.
Exploit kits such as Fallout Exploit Kit (EK) and phishing emails with social engineering techniques are the major infection vectors of the AZORult malware.
Other malware families such as Ramnit and Emotet also download AZORult.
Key features include:
Steals computer data, such as installed programs, machine globally unique identifier (GUID), system architecture, system language, user name, computer name, and operating system (OS) version
Steals the following data
stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software User names passwords, and hostnames from different browsers
Bitcoin wallets – Monero and uCoin
Steam and telegram credentials
Skype chat history and messages
AZORult spyware searches for useful information on the affected computer and sends it to the C2 server to potentially steal the victim’s
bank account data.
After execution, the malware is removed from the system due to the lack of a persistence.

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...