Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
July 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
Infostealer malware, which covertly infiltrates systems and harvests sensitive information, poses a significant risk to individual and organizational security. Infostealers have been a persistent threat for many years, with the earliest variant, ZeuS, emerging in 2006. Since this early example, infostealers have become increasingly sophisticated and widespread. Cybercriminal activity involving infostealers spiked significantly from Q3 to Q4 2023: ReliaQuest noted a 30.5% increase in cybercriminal forums marketplace listings for “stealer logs” (data harvested by infostealer malware).
This report provides an overview of common infostealer variants; describes their targeted geographies and sectors and tactics, techniques, and procedures (TTPs); and outlines general mitigation steps and best practices.
The ever-increasing complexity and prevalence of infostealer malware is fueled by the lucrative nature of stolen data, which is commonly sold on cybercriminal forums, marketplaces, and messaging applications like Telegram. Once adversaries extract valuable information, they sometimes share stealer logs for free on these platforms; subsequent resharing on other forums allows even more threat actors to access the data at no cost.
Infostealers are designed to infiltrate computers and transmit sensitive data, including:
This malware typically targets credentials from online banking websites, social media platforms, email accounts, and file transfer protocol (FTP) accounts. Modern infostealers often function as part of botnets, enabling attackers to remotely connect to an infected host and transmit data via command-and-control (C2) servers. These malicious entities spread infostealers through methods like spam email attachments, compromised websites, and malware advertising, often in conjunction with other malware types such as downloaders, Trojan droppers, and keyloggers.
Stealer malware can pose big risks with profound impacts, illustrating the critical need for heightened awareness and sophisticated defense strategies. For example, the now-notorious Change Healthcare cyber attack was initiated through compromised credentials that can be sourced from infostealer malware.
Infostealers can disproportionately affect different sectors, geographies, and technologies. Sectors handling significant sensitive information like healthcare, finance, and retail are particularly at risk. Geographically, regions that are commonly targeted for ransomware, such as the US, UK, and Canada, seem to be most at risk. The reason behind the geographical targets is highly likely due to the higher demand in compromised credentials being purchased for these regions.
Here’s a more specific look at how threat actors can maliciously leverage stolen information:
While infostealer malware has historically targeted individuals, the threat to corporate organizations is significant and growing. The ramifications of an infostealer malware infection for organizations are profound, encompassing not only financial loss and intellectual property theft but also severe data breaches that could impact the entire organizational structure. This malware type not only facilitates financial exploitation but also serves as a gateway for further attacks, potentially leading to widespread ransomware infections.
The ReliaQuest Threat Research team has compiled an overview of the most common infostealers we observed in 2023: LummaC2, RedLine, and Raccoon.
LummaC2 was most prevalent infostealer in 2023, according to ReliaQuest’s collection of dark web marketplace listings. In addition, the number of LummaC2-obtained logs listed for sale increased by 110% from Q3 to Q4 2023. LummaC2’s rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection. Additionally, its intuitive user interface (UI) makes the tool accessible to threat actors across a wide spectrum of skill levels.
The pricing model for a LummaC2 subscription ranges from $250 to $1,000 per month, depending on the subscription tier selected.
Figure 1: LummaC2 subscription service and description
LummaC2 is best known for using unconventional distribution tactics, including the deployment of trojanized software files and spearphishing emails equipped with deceptive links or attachments. This method allows LummaC2 to bypass some standard security measures designed to catch more common phishing attempts or drive-by downloads.
Furthermore, LummaC2 targets a comprehensive array of sensitive data not limited to traditional credentials. It focuses on cryptocurrency wallets, browser extensions, and two-factor authentication (2FA) details. This targeted approach makes LummaC2 particularly perilous for businesses that manage digital assets or utilize extensive online financial services.
LummaC2 sets itself apart in the landscape of infostealers through its broad targeting capabilities and systematic extraction methods. Capable of infiltrating a range of systems from Windows 7 to Windows 11 and compatible with at least ten different web browsers, LummaC2’s adaptability is unmatched. Its ability to target and exfiltrate data from applications related to cryptocurrency and extensions further distinguishes it as a significant threat, especially given the rising prominence of digital currencies in business operations.
The stealthy nature of LummaC2’s operations makes it particularly dangerous, as it can siphon sensitive information without immediate detection, multiplying the potential damage.
RedLine ranked as the second most prevalent infostealer ReliaQuest identified in 2023, with a 44% rise in listings from Q3 to Q4 2023. This growth is noteworthy, yet it falls far short of LummaC2’s growth rate. The popularity of RedLine can likely be attributed to its high success rate of exfiltrating financial data such as cryptocurrency wallets. While not as prolific as LummaC2, RedLine has made a name for itself in the cybercriminal world due to its high infection rate and more affordable malware-as-a-service (MaaS) subscription starting at $100 per month, as compared to competitors, most of which start at $250.
Since its inception in March 2020, RedLine has been utilized by initial access brokers and other malicious actors on Russian-language cybercriminal forums. It specializes in exfiltrating passwords, credit card details, instant messages, and cryptocurrency wallet information. Over time, RedLine’s distribution methods have evolved from phishing emails themed around COVID-19 to using adware through malicious Google ads, weaponizing Microsoft Office documents, and targeting digital artists in the NFT space. More recently, it has adapted by masquerading as a Windows 11 upgrade tool, demonstrating its ability to exploit current trends to enhance its dissemination.
RedLine’s extensive technical capabilities enable it to perform a variety of malicious activities that are particularly disruptive to organizations. RedLine allows adversaries to harvest system information such as browser types, FTP client details, and hardware configurations. It can perform a range of malicious activities, including uploading and downloading files, executing commands, and relaying information about compromised systems back to the attackers. Such functionalities not only allow for the theft of sensitive data but also potentially facilitate deeper network penetration and lateral movement within a corporate environment, leading to more extensive breaches and data compromise.
RedLine differentiates itself from other prominent infostealers like LummaC2 and Raccoon through its targeting strategy and distribution techniques. RedLine has a broader target spectrum and uses more varied distribution methods. Compared to Raccoon, which also operates on a MaaS model, RedLine’s ability to adapt quickly to current trends and its lower entry price point make it accessible and dangerous.
ReliaQuest identified Raccoon Stealer, sometimes rendered as “Racoon,” as the third most common information stealer in 2023. Despite its ranking, mentions of Raccoon on the dark web saw a drastic decrease from Q3 to Q4 2023, largely due to the arrest of Mark Sokolovsky, a pivotal figure behind Raccoon, in late 2022. This arrest disrupted operations temporarily and led to significant law enforcement scrutiny, which temporarily halted Raccoon’s activities.
Raccoon Stealer is adept at stealing a wide range of data from over 60 different applications, including sensitive information such as login credentials, credit card details, browsing history, and cryptocurrency wallet data. In August 2023, the developers released an updated version based on user feedback and market trends. This version introduced features like an innovative URL search method for quick data access, automatic bot detection and blocking, and detailed log statistics.
Raccoon Stealer’s subscription was initially priced at $200 per month but increased to $275 in August 2023. It is also offered at $125 per week, making it accessible for short-term use.
Raccoon Stealer is differentiated by its user-friendly interface and robust functionality, catering to less technically skilled cybercriminals. Raccoon focuses on providing a simple yet effective tool for extensive data harvesting, making it particularly dangerous for organizations. The stealer’s ability to target a vast range of applications and its enhancements aimed at evading detection make it a formidable tool for extracting corporate data.
The resilience and adaptability of Raccoon Stealer, despite significant disruptions such as the arrest of its key developer, highlight the persistent threat posed by such cybercriminal tools. Organizations must remain vigilant and proactive in their cybersecurity efforts to defend against such sophisticated malware.
In October 2023, ReliaQuest observed in a customer environment the execution of the unauthorized file “Passwrd-2023_Setup.rar,” which is associated with LummaC2. Shortly before the malicious file was downloaded, the user attempted to install a cracked license key from the license key download service “hdlicense[.]com.” This redirected the user to “hxxps://1july[.]com/rMKNqt3S,” where the user was prompted to download the malicious RAR file. After clicking the download prompt, the user was redirected to multiple domains, including “sustac[.]com” and a free file-hosting server that initiated the LummaC2 malware download.
“Passwrd-2023_Setup.rar” contained multiple files, including a legitimate, signed copy of the cross-platform media player “VLC Player” renamed as “Setup.exe” and the LummaC2 executable. The executable used a technique called Dynamic Link Library (DLL) side-loading to import a copy of the VLC Player library (“libvlc.dll”), which then imported a malicious version of the library (“libvlccore.dll”). libvlccore.dll loaded the LummaC2 payload. Using DLL side-loading enabled the adversary to bypass security measures, execute the malware, and establish a C2 connection to “hxxp://ebalkayiu[.]fun/api.”
Figure 2: Passwrd-2023_Setup.rar file contents
In this case study, ReliaQuest communicated to the impacted organization our recommendation to first isolate the impacted endpoint to disable any communication or active connections. We then deleted the “Passwrd-2023_Setup.rar” file and blocked all associated indicators of compromise (IoCs). The impacted organization rotated the user’s credentials, reimaged the endpoint, and notified the user of the organization’s acceptable use policy (AUP). Further communication with the impacted customer confirmed that no additional IOCs or C2 traffic were identified following these steps.
This incident showcases characteristic hallmarks of LummaC2, including the use of legitimate software to disguise malware activities and the exploitation of less secure third-party download sites. To prevent similar incidents, organizations should implement stringent controls on software downloads and installations, which in this case allowed the initial download of a cracked software key.
Below is a list of IoCs we observed in this case study:
We predict that in 2024, LummaC2 and RedLine activity will continue to grow. With the sales of credentials obtained via LummaC2 more than doubling from Q3 to Q4 2023, the stealer shows no signs of slowing down. RedLine, with its 44% rise in dark web marketplace presence in the same period and a diverse range of associated tactics for distribution and data theft, is highly probable to continue to grow. Its adaptability and affordability make it an attractive option for cybercriminals looking to harvest sensitive information efficiently.
On the other hand, the usage of Raccoon will likely continue to decline throughout 2024. The drastic decrease in mentions and sales of Raccoon stealer logs on cybercriminal forums toward the end of 2023 suggests threat actors’ waning interest in this tool. This downturn may result from its outdated evasion tactics, the emergence of more advanced stealers like LummaC2 and RedLine, and the arrest of a key figure behind Raccoon in late 2022. This arrest not only disrupted Raccoon’s operations but also exposed the vulnerabilities within its infrastructure, likely diminishing its appeal to cybercriminals.
While ReliaQuest Digital Risk Protection can alert customers when credentials appear in breaches or are sold on sites like Russian Market, we also take a more proactive approach. To identify the use of stealer malware, ReliaQuest offers detection rules. Implementing these rules will allow defenders to identify unauthorized software that violates policy obligations. These rules can be calibrated to each organization’s environment, to attain a higher level of fidelity and reduce false positives. In addition, we also provide containment and response plays for each detection rule. These automated plays can be executed by customers to mitigate threats if they are enabled.
The ReliaQuest Threat Research team offers the following inexhaustive list of recommendations and best practices to protect against infostealers’ impact.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.