One of the top cybersecurity companies in the world, SGroup-IB, has discovered 34 Russian-speaking organisations that are using the stealer-as-a-service business model to distribute info-stealing malware. The “Racoon” and “Redline” stealers are primarily used by cybercriminals to acquire passwords for gaming accounts on Steam and Roblox, login information for Amazon and PayPal, payment history from users, and details about cryptocurrency wallets.
The gangs collectively infected more than 890,000 user devices in the first seven months of 2022 and stole more than 50 million passwords. Despite the fact that they primarily target users in the United States, Brazil, India, Germany, and Indonesia, all of the identified groups coordinate their attacks through Russian Telegram groups. One of the most serious online threats in 2022 is malware that steals personal information.
By following the development of the well-known scam scheme Classiscam, analysts for Group-IB Digital Risk Protection discovered how some “workers” (low-rank online scammers) began transitioning to a more dangerous criminal scheme that involves disseminating info stealers. Additionally, stealers’ illegal enterprise, which is orchestrated through Telegram groups, employs Classiscam’s exact same operational framework.
A type of malware called a “info stealer” gathers login information from infected computers’ browsers (including those for social media, email, and gaming accounts), bank card information, and information about cryptocurrency wallets before sending it all to the malware’s creator. Following a successful attack, the con artists either use the data they have stolen to make money for themselves or they sell the data in the dark web. Stealing is one of the top threats to be on the lookout for in the upcoming year, according to Group-IB. The credentials stolen by the Racoon stealer were purchased by the threat actor behind the most recent attack on Uber.
The Unified Risk Platform’s Group-IB Digital Risk Protection team estimates that the mass Telegram groups and bots used to spread info thieves first appeared in early 2021. Group-IB analysts were able to confirm that members of several scam groups who had previously taken part in the Classiscam scheme started using stealers by looking into a number of accounts. Group-IB experts found 34 active groups on Telegram in 2021 and 2022. These info-stealer distribution networks typically have 200 active members.
RedLine, which is utilised by 23 out of 34 gangs, is the stealer that Group-IB examined that is used the most frequently. Second place goes to Racoon, where 8 groups use this tool. Three communities make use of custom stealers. RedLine and Racoon are typically given to employees by administrators in exchange for a portion of the stolen data or cash. On the dark web, however, the aforementioned malware is available for rent for $150–200 a month. While some teams deploy three stealers at once, others only have one stealer at their disposal.
Some threat actors replicated Classiscam’s technical abilities as well as its hierarchy and model to transition from defrauding users of classified websites to thieves. Telegram bots in particular produce malicious content, member communication, and all of their shady accounting.
The duties of employees and the con artists in lower positions have also changed. Now they must direct traffic to phishing websites that pose as well-known companies in order to trick victims into downloading malicious files. On specialised forums and in direct contact with NFT artists, cybercriminals embed links for downloading stealers into video reviews of well-known games, mining software, or NFT files, as well as social media lotteries and lucky draws.