Information Stealer Malware commonly seen in the Philippines
Recently, I have been doing some Dark Web Intelligence Gathering on behalf of a large Philippine Bank. As part of it, I looked at the usual things, like, Dark Web Forums (both open-access and closed ones), the usual Telegram Channels, and other sources.
As a result, I noticed that the following are the most common Information Stealers that show up in the Philippine Threat Landscape, at least, based on this specific engagement.
This does not aim to be a complete list, nor does it mean to be a very detailed analysis, however, I have included links for further reading for each of the Stealers listed here.
Lumma Stealer
Lumma, a well-known and notorious information-stealing malware, has evolved to incorporate the most sophisticated evasion tactics as of November 2023. It is recognized as a stealer, malicious software designed to pilfer sensitive data from infected systems. Lumma’s capabilities extend to exfiltrating both device and personal data, which can include browsing data, usernames, passwords, and credit card information.
To bypass detection, it has introduced an ingenious method of measuring mouse movements using trigonometry, allowing it to differentiate between real systems and antivirus sandboxes. Lumma proceeds with malicious activities if the calculated vector angles are below 45 degrees. Otherwise, it halts its operations.
Lumma’s evasion techniques are plenty. They include obfuscation, XOR encrypted strings, dynamic configuration files, and enforced crypto use. It is worth mentioning that Lumma makes use of a crypter to safeguard its executable from exposure to non-paying hackers or cybersecurity analysts and incident responders. The malware has also been seen to incorporate obstacles and blocks of dead code to confound analysis further.
Stealers like Lumma often target accounts such as emails, social media, online banking, and cryptocurrency wallets. The stolen data is then used for nefarious purposes like blackmail, identity theft, and fraudulent transactions, leading to severe privacy issues, financial losses, and identity theft for the victims. Using reputable anti-virus software to guard against Lumma and other malware and scan systems for threats regularly is recommended but not a guarantee that you will be safe.
Some Resources with more information can be found here:
https://any.run/malware-trends/lumma
https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
https://www.trendmicro.com/en_us/research/23/j/beware-lumma-stealer-distributed-via-discord-cdn-.html
RisePro Stealer
RisePro, a stealer malware first spotted one year ago, in December 2022, has resurfaced with increased activity and new capabilities as of November and December 2023. Identified as a clone of Vidar, it is now being sold on middle-tier forums on the Darkweb, combining the best features of Redline and Vidar to become a potent information-stealing tool. We expect to see more incidents and stealer logs from this particular stealer malware.
The malware allows customers (the threat actors who purchase it) to host their own panels to guard against log theft. However, it’s found that the panel still communicates with the seller’s infrastructure, which could potentially allow for log theft. As you can see there are still logs circulating in the open which almost certainly come from such log theft. RisePro’s command and control panels remain active, with constant updates and changes to its structure being observed.
RisePro’s functionality includes stealing sensitive data like credit cards, passwords, and cryptocurrency wallet details. It is distributed through counterfeit crack sites and now boasts remote control functions.
Significant changes have been noted in its network communication patterns. Instead of HTTP, the malware employs a custom protocol over TCP. The communications are encrypted using a substitution cipher followed by XOR with a key. The encrypted traffic includes three distinct blocks — magic, payload_len, and packet_type, with the packet_type representing various opcodes like SERVER_PING.
To shield against RisePro, it is advised to use reliable antivirus software and frequently scan systems for threats. While the malware continues to evolve, researchers have been successful in decrypting its encrypted traffic, providing hope for future countermeasures.
Some Resources with more information can be found here:
https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/
https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/
Redline Stealer
The Redline Stealer Malware was first discovered in February 2020. It is an advanced malware-as-a-service (MAAS) tool for stealing sensitive data. It targets various third-party software products, including Telegram, Steam, and Discord, to steal user login credentials, authentication tokens, and other relevant sensitive data. The malware comes as an executable file with a 32-bit architecture, identified as malicious by most up-to-date EDR products and AV engines, and uses AES encryption.
During execution on a Windows machine, Redline injects itself into an OS-level executable file named ‘winlogon.exe’ and drops additional files in the %AppData% directory. It targets browsers like Chrome and Opera to steal login credentials and autofill data, cookies, and credit card information, once again showing the importance of avoiding saving sensitive data in browsers. Moreover, it gathers information about the browser and uses a geolocation API to determine the endpoint’s location.
There are various distribution methods for Redline, including phishing and compromised versions of games and service applications. It is designed to steal sensitive information such as Windows credentials, browser credentials, cryptocurrency wallet contents, and more.
Technical analysis reveals that Redline is a complex malware with classes dedicated to establishing connections to the command-and-control server, stealing data from programs and browsers, and gathering information about the host system. It uses encryption and obfuscation techniques to hide its actions, making it difficult to attribute the attack to a specific adversary.
The command-and-control server associated with Redline Stealer is registered under the name “Flameochka Servers,” but there is no information available about this company online. The IP address associated with the server was registered with misleading information, suggesting that the attackers aim to remain anonymous. The malware has evidence linking it to Russian-based attackers, making it a sophisticated tool used by cybercriminals. You can find active conversations about it on many Russian language Hacker Forums, both on the clear and dark web.
Some Resources with more information can be found here:
https://any.run/malware-trends/redline
https://flare.io/learn/resources/blog/redline-stealer-malware/\
Mystic Stealer
Mystic Stealer Malware, discovered in 2023, poses a significant cybersecurity threat given its capability to steal data from approximately 40 web browsers and 70 browser extensions. It also specifically targets cryptocurrency wallets, Steam, and Telegram. Written in the C programming language, this malware is heavily obfuscated, using polymorphic string obfuscation and hash-based import resolution to hamper analysis attempts.
In May 2023, updates to Mystic Stealer incorporated a loader component, which retrieves and executes payloads from a command-and-control server. Approximately 50 operational C2 servers have been identified, showcasing the expansive reach of this malware.
Furthermore, the malware’s author actively solicits suggestions for improvement, indicating an ongoing effort to court the cybercriminal community. This, coupled with the malware’s increasing popularity in the underground economy, suggests that it could serve as a precursor for financially motivated campaigns, such as those involving ransomware and data extortion.
Newer malware strains, like the ChromeLoader campaign called Shampoo and the modular malware trojan Pikabot, are being packaged with crypters to evade detection, adding to the complexity and potential threat.
Some Resources with more information can be found here:
https://www.zscaler.com/blogs/security-research/mystic-stealer
https://www.cyfirma.com/outofband/mystic-stealer-evolving-stealth-malware/
Racoon2 Stealer
The Raccoon Stealer gang has released an updated version (2.3.0.1) of their notorious info-stealing malware as of August 15, 2023, and actively markets it to other cybercriminals in a “as a service” package offering. This malware, priced at a rate of $275 per month or $125 per week, is capable of stealing browser passwords, cookies, cryptocurrency wallets, and other files and taking screenshots of infected systems. After a six-month hiatus due to an administrator’s arrest, the operators have returned with enhanced features, making the malware more convenient and difficult to detect. Features include a quick search tool and a panel that gives users an overview of their operations. The FBI has gathered data stolen by Raccoon Malware, which consists of over 50 million unique credentials and forms of identification.
Some Resources with more information can be found here:
https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/
https://socradar.io/raccoon-stealer-resurfaces-with-new-enhancements/
MetaStealer Stealer
MetaStealer is a new breed of information stealer malware that emerged in November 2023, specifically targeting macOS platforms. This malware is designed to infiltrate devices with Apple M1 and M2 Chips at the time of this writing and will certainly cover M3 Chips as well. Distributed through deceptive files or documents, MetaStealer is capable of harvesting data from saved passwords, compromised hosts, and iCloud Keychains. It is notable for exploiting social engineering tactics, which it uses to gain unauthorized access to macOS systems.
The malware seriously threatens Mac users, extracting sensitive information from Intel-based macOS systems. Security measures such as blocking IoCs, maintaining regular backups, and avoiding suspicious attachments are recommended to prevent and protect against MetaStealer. Despite the evolving cybersecurity landscape, MetaStealer represents a significant challenge for Mac users.
Some Resources with more information can be found here:
https://cyware.com/news/new-meta-stealer-is-popular-in-the-underground-marketplaces-a04b2290
StealC Stealer
As of November 2023, the StealC Stealer malware stands out as a potent threat in the cyber landscape. It primarily targets Chromium and Mozilla-based web browsers to extract sensitive data stored in their databases. StealC is part of the broader family of Stealer malware, which is designed to infiltrate systems undetected and exfiltrate valuable information such as login credentials, financial details, and personal data.
StealC operates by being downloaded and executed by the user, often through phishing emails, malicious websites, or infected USB drives. Once inside, it has capabilities ranging from keystroke recording and screenshot capturing to spreading through network connections and dropping other malware into the system.
One notable feature of the StealC Stealer malware is its persistence, like that of the RedLine Stealer. To protect against such threats, it is crucial to keep abreast of the evolving cyber threat landscape, ensure regular system updates, and exercise caution while dealing with emails and websites of uncertain origin.
Some Resources with more information can be found here:
https://www.vmray.com/cyber-security-blog/stealc-a-new-stealer-emerges-in-2023/
