Singapore: As many as 34 Russian-speaking groups are behind the distribution of info-stealing malware under the stealer-as-a-service model. These groups collectively infected more than 890,000 user devices and stole over 50 million passwords in seven months of 2022, revealed the Singapore-based cybersecurity major Group-IB.
Group-IB has identified those 34 Russian-speaking cybercriminal gangs that use mainly Racoon and Redline stealers to obtain passwords for gaming accounts on Steam and Roblox, credentials for Amazon and PayPal, as well as users’ payment records and crypto wallet credentials.
The Russian-speaking gangs collectively infected over 890,000 user devices and stole over 50 million passwords in the first seven months of 2022. India saw the highest number of infected devices in the Asia Pacific, followed closely by Indonesia, the Philippines and Vietnam.
All the identified groups orchestrate their attacks through Russian-language Telegram groups, although they mainly target users in the United States, Brazil, India, Germany, and Indonesia. In 2022, info-stealing malware has grown into one of the most serious digital threats.
By tracking the popular scam scheme Classiscam, Group-IB Digital Risk Protection analysts revealed how some “workers” (low-rank online scammers) started shifting to a more dangerous criminal scheme that involves distributing info stealers. Moreover, the illicit business of stealers coordinated via Telegram groups uses exactly the same operational model as Classiscam.
An info stealer is a type of malware that collects credentials stored in browsers (including gaming accounts, email services, and social media), bank card details, and crypto wallet information from infected computers, and then send all this data to the malware operator.
After a successful attack, the scammers either obtain money themselves using the stolen data, or they sell the stolen information in the cybercriminal underground. According to Group-IB, stealers are one of the top threats to watch in the coming year. The threat actor responsible for the most recent attack on Uber purchased the credentials compromised with the Racoon stealer.
According to the Group-IB Digital Risk Protection team, (part of the Unified Risk Platform), the mass Telegram groups and bots designed to distribute info stealers first appeared in early 2021. By investigating a number of accounts, Group-IB analysts were able to confirm that members of several scam groups that previously participated in the Classiscam scheme began using stealers. In 2021 and 2022, Group-IB experts identified 34 active groups on Telegram. On average, such info-stealer distribution groups have around 200 active members.
Group-IB examined RedLine as the most popular stealer used by 23 out of 34 groups. Racoon ranks second: 8 groups employ this tool. Custom stealers are used in 3 communities.
Administrators usually give workers both RedLine and Racoon in exchange for a share of the stolen data or money. However, the malware in question is offered for rent on the dark web for $150-200 per month. Some groups use 3 stealers at the same time, while others have only one stealer in their arsenal.