The marketing campaign progressed in four waves, starting off in February and ending in September, with the operators relying on specifically-crafted phishing webpages and lure paperwork laced with destructive macros to obtain Vidar and Raccoon information and facts stealers onto victim programs.
The supreme objective of the assault, the researchers noted, was to steal payment and person data by using several attack vectors and applications to deliver the malware.
The fake website internet pages were designed making use of the Mephistophilus phishing package, which will allow attackers to produce and deploy phishing landing web pages engineered for distributing malware.
“Attackers sent inbound links to fake webpages that informed victims about a missing plugin essential to screen the doc properly,” Team-IB researchers discussed in an assessment of the cybercrime group’s tactics previous November. “If a consumer downloaded the plugin, their computer was infected with the password-stealing malware.”
Whilst the first wave of the campaign in February and March delivered the Vidar password stealer to intercept passwords from user browsers and several apps, subsequent iterations switched to the Raccoon stealer and AveMaria RAT to meet its aims.
Raccoon, to start with documented by Cybereason very last calendar year, arrives with a huge variety of abilities and communicates with a command-and-regulate (C2) server to siphon details — which includes screenshots, credit score card information, cryptocurrency wallets, stored browser passwords, e-mail, and technique details.
Raccoon is also one of a kind in that it bypasses the blocking of active C2 servers by building a request to a Telegram channel (“blintick”) in order to receive the encrypted address of the C2 server, in addition to giving 24×7 consumer assist to neighborhood thoughts and reviews as a result of the chat assistance.
AveMaria RAT, similarly, is able of making certain persistence, recording keystrokes, injecting malicious code, and exfiltrating sensitive information, among the many others.
Both equally Vidar and Raccoon are offered as malware-as-a-service (MaaS) on underground forums. The rental cost for Vidar stealer ranges from $250 to $300 for each month, whereas the latter prices $200 a thirty day period to use.
Along with the four stages described over, Team-IB also noticed an interim section concerning May possibly to September 2020, for the duration of when as lots of as 20 on-line suppliers were being contaminated with a modified JS-sniffer of the FakeSecurity family.
Interestingly, the infrastructure made use of to distribute the Vidar and Raccoon stealers were reused to store the sniffer code and accumulate stolen financial institution card data, primary the scientists to backlink the two strategies.
The progress is nevertheless a different indication that adversaries are stepping up their initiatives to compromise on line marketplaces to pilfer consumer payment information, even as legislation enforcement organizations are doing the job to tackle cybercrime.
Previously this January, the Interpol, performing on digital forensic proof from Team-IB, nabbed three people affiliated with a group known as “GetBilling” as aspect of an operation codenamed Night time Fury for working a JS-sniffer campaign in Indonesia.