The marketing campaign progressed in four waves, starting in February and ending in September, with the operators relying on specifically-crafted phishing webpages and lure paperwork laced with destructive macros to obtain Vidar and Raccoon facts stealers onto victim devices.
The greatest objective of the attack, the researchers pointed out, was to steal payment and consumer info via various attack vectors and applications to supply the malware.
The bogus web webpages were being produced employing the Mephistophilus phishing package, which will allow attackers to generate and deploy phishing landing webpages engineered for distributing malware.
“Attackers despatched inbound links to bogus webpages that informed victims about a lacking plugin expected to show the document correctly,” Group-IB scientists described in an evaluation of the cybercrime group’s techniques final November. “If a consumer downloaded the plugin, their computer was contaminated with the password-stealing malware.”
Though the first wave of the marketing campaign in February and March sent the Vidar password stealer to intercept passwords from consumer browsers and many applications, subsequent iterations switched to the Raccoon stealer and AveMaria RAT to satisfy its goals.
Raccoon, initially documented by Cybereason previous 12 months, arrives with a large vary of abilities and communicates with a command-and-handle (C2) server to siphon data — together with screenshots, credit card info, cryptocurrency wallets, stored browser passwords, email messages, and program facts.
Raccoon is also distinctive in that it bypasses the blocking of lively C2 servers by making a request to a Telegram channel (“blintick”) in buy to receive the encrypted address of the C2 server, apart from presenting 24×7 consumer aid to local community questions and feedback by the chat support.
AveMaria RAT, similarly, is able of guaranteeing persistence, recording keystrokes, injecting malicious code, and exfiltrating sensitive information, between some others.
Both of those Vidar and Raccoon are sold as malware-as-a-support (MaaS) on underground forums. The rental rate for Vidar stealer ranges from $250 to $300 per thirty day period, whereas the latter charges $200 a month to use.
Together with the 4 levels described over, Team-IB also observed an interim period concerning Might to September 2020, for the duration of when as a lot of as 20 on-line merchants were being infected with a modified JS-sniffer of the FakeSecurity relatives.
Curiously, the infrastructure used to distribute the Vidar and Raccoon stealers were being reused to retailer the sniffer code and acquire stolen bank card information, leading the researchers to link the two campaigns.
The progress is still a further sign that adversaries are stepping up their initiatives to compromise on-line marketplaces to pilfer purchaser payment info, even as legislation enforcement businesses are performing to deal with cybercrime.
Earlier this January, the Interpol, acting on electronic forensic proof from Group-IB, nabbed three people today connected with a group called “GetBilling” as portion of an procedure codenamed Evening Fury for managing a JS-sniffer campaign in Indonesia.
Located this article interesting? Follow THN on Fb, Twitter and LinkedIn to browse much more distinctive material we post.