Top 5 Info-Stealer Malware to Keep an Eye On (August 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant info stealer malware that you should keep an eye on, including Meduza Stealer striking Windows systems in more than 10 countries, Realst info stealer targeting macOS user, Rilide Stealer exploiting vulnerabilities in Chromium-based browsers, Statc Stealer targeting crypto wallets and messaging apps, and Raccoon Stealer resurfacing with enhanced stealth features.

Read on to discover more…

1. New Windows Meduza Stealer targets tens of crypto wallets and password managers

Cybersecurity researchers have uncovered a novel Windows-based information stealer known as Meduza Stealer, actively developed to outwit detection by security software. This malware is the latest addition to the growing Crimeware-as-a-Service (CaaS) trend in the cybercriminal landscape. Discovered by security researchers through Telegram conversations and Dark Web monitoring, the Meduza virus targets Windows systems in 10 countries, adeptly stealing a wide array of data, including login credentials, browsing history, bookmarks, and information from numerous cryptocurrency wallets, password managers, clients, Discord, and web browsers.

What distinguishes Meduza is its intricate operational design that avoids common obfuscation techniques, rendering it virtually undetectable by most antivirus software. The malware’s strategic marketing across cybercrime forums and Telegram channels and its ability to evade both dynamic and static detection heighten its threat. While specific attacks haven’t been linked to Meduza yet, its emergence underscores the ongoing challenges posed by evolving cyber threats.

2. Realst: A Rust-based info stealer targeting macOS user’s crypto wallets

Realst, a newly discovered information-stealer malware coded in Rust language, has raised concerns among security experts after a researcher reported its involvement in attacks on Windows and macOS systems. The malware exploited fake blockchain games, using RedLine, Raccoon Stealer, and AsyncRAT to infect Windows, while targeting Mac devices directly with Realst. Realst poses a significant risk to macOS users, capable of emptying crypto wallets and stealing sensitive data.

One research revealed 59 Mach-O samples of Realst, some targeting Apple’s upcoming macOS 14 Sonoma. The malware disguises itself as fake blockchain games, distributed through Twitter, Discord, and PKG installers, evading detection with valid Apple Developer IDs or ad-hoc signatures. Games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, and SaintLegend have been exploited as vehicles to distribute the malicious payload. Realst exhibits 16 variants with distinct behaviors, targeting popular browsers such as Firefox, Chrome, Opera, Brave, Vivaldi, as well as the Telegram app.

3. Rilide data theft malware upgrades for Chrome Extension Manifest V3

A new variant of Rilide Stealer has emerged, targeting vulnerabilities in popular Chromium-based web browsers like Google Chrome, Microsoft Edge, Brave, and Opera. This advanced version aims to pilfer sensitive information and cryptocurrency from victims. Researchers discovered over 1,300 phishing websites distributing this new Rilide Stealer variant along with other dangerous malware, using deceptive tactics to lure victims into downloading the malware.

The attackers employed sophisticated techniques to target various user groups, including PowerPoint phishing lures, fake game installers, and campaigns against banking users. This updated Rilide Stealer version demonstrates increased sophistication with advanced code obfuscation, adaptation to Chrome Extension Manifest V3, and features like ‘screenshot_rules’ for capturing browser tab screenshots. Additionally, the malware can exfiltrate stolen data, including credit card details, via a secure Telegram channel. This evolution underscores cybercriminals’ efforts to refine tactics and exploit new tools for more impactful malicious campaigns.

4. Statc Stealer malware jeopardizes personal data security

The emergence of Statc Stealer marks a significant threat to Windows devices, employing C++ to pilfer sensitive data from web browsers, messaging apps, and cryptocurrency wallets. Deceived by malvertising, users unwittingly trigger its download through disguised ads on Google Chrome. Once executed, the malware employs a Decoy PDF Installer and PowerShell script to fetch its main component. Its functionality encompasses stealing login details, cookies, and data from a range of browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, and Yandex Browser.

To evade analysis, Statc Stealer performs checks on file names, halting operations at discrepancies, complicating reverse engineering. Stolen data is encrypted, packed into text files, temporarily stored in the Temp folder, and securely transmitted to its command and control (C&C) server via HTTPS protocol. This sophisticated malware’s broad capabilities and evasion techniques underscore the urgency of robust cybersecurity measures.

5. Raccoon Stealer malware resurfaces with enhanced stealth features

The Raccoon Stealer malware notorious for its wide-scale information theft capabilities has re-emerged with an enhanced version (2.3.0) after a 6-month dormancy. Active since 2019, the malware can exploit over 60 applications, extracting a diverse range of data, including login credentials and cryptocurrency wallet details. The new version features a refined dashboard with a rapid search tool, streamlining data extraction for cybercriminals.

It also boasts advanced OpSec enhancements, including the ability to recognize suspicious activity from the same IP and auto-delete related records to erase evidence. Additionally, a visual IP activity representation aids users in identifying potential bot interference. The malware now proactively blocks IPs linked to security crawlers and bots, ensuring its operational longevity. The Log Stats panel furnishes operational insights, aiding cybercriminals in optimizing tactics for higher success rates in subsequent campaigns.

Key recommendations to combat cyber risks:

• Adopt a stringent security policy that encompasses comprehensive aspects like password protocols, email usage guidelines, and timely software patching.
• Periodic security training for all employees is crucial. Focus on the imminent threats posed by info stealer malware, phishing attacks, and general safe online behavior.
• Beware of unknown ads and refrain from clicking on suspicious links, even if they appear legitimate.
• Invest in robust endpoint security solutions, integrating advanced antivirus and anti-malware systems.
• Implement sophisticated network monitoring tools to detect unusual data transfers, especially encrypted ones that go to unfamiliar domains.
• Mandate the use of Multi-Factor Authentication (MFA) for systems with sensitive data, adding a secondary security layer.
• Regularly update and test an incident response strategy tailored for info stealer malware incidents. Ensure it encompasses isolation, eradication, containment, and recovery measures.
• Regularly back up important data to a secure, offline location. In case of a malware infection, having backups ensures file restoration without paying ransom or losing valuable information.
• Keep a close eye on financial accounts, including cryptocurrency wallets, and regularly review transaction history for any suspicious activities. Report any unauthorized transactions or security breaches immediately.
• Keep track of emerging threat intelligence and known Indicators of Compromise (IoCs) to identify potential intrusions or signs of info stealer malware activity.