Trend
Stealers
If identities are the new perimeter, information-stealing malware helps adversaries cross over.
Pairs With This SongThreat Sounds
RedLine, RedLine, RedLiiiine: We’re begging you to not take our creds.
As organizations continue to embrace technologies that allow employees to work outside the traditional perimeter of an enterprise network, identities and credentials remain key to allowing access to resources from remote locations. Information-stealing malware such as RedLine, Vidar, and LummaC2 all gather credentials from various sources on a computer system, including password managers, web browsers, files on disk, and more. In the hands of an adversary, information stealers can gather credentials that allow access to local systems and cloud solutions, depending on what a victim may have stored on their system.
What we saw in 2023
Throughout 2023, Red Canary observed information-stealing malware affecting many organizations, and stealers frequently appeared in our monthly top 10 rankings. In fact, stealers accounted for nearly 10 percent of activity we were able to associate with named threats in 2023. For the year overall, few malware families with stealer capabilities broached the top 10 due to the diverse market of stealer malware. Modular malware families such as Yellow Cockatoo that have modules to facilitate stealer-like activity contrast with traditional stealer malware such as LummaC2, RedLine, Ducktail, Stealc, and Atomic Stealer. For information on cloud-specific stealers, read our API abuse in the cloud trend page.
In 2023, Red Canary observed more macOS systems being targeted by stealer malware than in previous years. Atomic Stealer, which targets macOS keychains and browsers to gather credentials, cracked our top 10 observed threats in August 2023. Other security companies reported on additional macOS stealers, documenting threats such as MacStealer and MetaStealer.
Taking inventory of the stealer market
Some prominent stealer families differentiated themselves in 2023 with focus and delivery patterns. Ducktail stepped up distribution through social media, often approaching victims with lures appearing as job postings through LinkedIn messages. The stealer functionality itself in Ducktail focused on obtaining cookies and credentials for Facebook Business Manager and advertising accounts.
Other families set themselves apart using new features, like LummaC2 adding the ability to revive expired Google OAuth account cookies in November 2023. This same feature was quickly adopted by other stealers by the end of the year, showing how quickly innovation can spread among malware competitors.
For stealer families with more widespread distribution goals, SEO manipulation and malicious advertising remained evergreen techniques to entice users into downloading malware. For much of the year, adversaries used these techniques to distribute stealers and remote access software, sometimes together. In most of these cases, the adversaries distributed fake installers posing as legitimate software, and they often experimented with different file types for distribution.
For stealers in EXE form, we often observed the malware masquerading with names such as Setup.Final.exe
, ChromeSetup.exe
, and specific software names combined with free_download.exe
. We also observed adversaries distributing MSI and MSIX installer files in attempts to evade detection with names such as DirectXAdvancedSupport.msi
and windirstat-x86.msix
.
In some cases we observed stealers deployed alongside other malware families. For example, this year we observed the malware that Elastic calls GHOSTPULSE deploy RedLine stealer and ArechClient2 on the same host. First, GHOSTPULSE executed its DLL sideloading technique.
Next, PowerShell spawned and reflectively loaded RedLine while MSBuild was spawned to host an injected instance of ArechClient2.
Take action
Detection opportunities
Detection opportunities for stealer malware vary for each family. Some families such as RedLine do not leave file modification or registry evidence on disk for detection, while others, such as Raccoon, do. This means that detection depends on the different points of evidence that each malware family leaves behind. For example, RedLine is developed using the .NET Framework and it contains all the code necessary for taking information from browsers. During execution, RedLine leaves little telemetry but is often injected into other processes, which may be easily detected or mitigated depending on the process the adversary targets for injection. In the case of Raccoon and Vidar, these native C/C++ stealers rely on external DLLs for browser password theft. During execution, we can detect Raccoon and Vidar by identifying those DLL downloads and module loads.
Uncommon processes without command-line arguments and having network connections
Adversaries that deploy RedLine often combine the malware with different products intended to hide RedLine from security tools. These products often inject RedLine into unexpected processes such as InstallUtil.exe
, MSBuild.exe
, aspnet_compiler.exe
, and more. While their intention to hide is clear, they usually don’t specify command-line arguments for these processes, which require arguments for successful legitimate execution. In addition, these processes don’t commonly establish external network connections. When taken together, these data points suggest that malware may have been injected into the suspicious process. While this isn’t always an indicator of RedLine stealer, it can help identify multiple malware families. See the Process Injection portion of this report for detailed detection guidance.
File modifications to AppData\LocalLow\*.dll
Raccoon stealer must download and load additional DLL files into memory so it can gather credentials from Chromium and Gecko-based web browsers. The downloaded DLLs often get stored in the AppData\LocalLow
folder, which does not typically contain DLL content for Windows systems. These files include:
AppData\LocalLow\nss3.dll
AppData\LocalLow\mozglue.dll
AppData\LocalLow\sqlite3.dll
AppData\LocalLow\msvcp140.dll
AppData\LocalLow\vcruntime140.dll
AppData\LocalLow\freebl3.dll
AppData\LocalLow\softokn3.dll
File modifications to ProgramData\*.dll
Vidar stealer (and its derivatives) must also download and load additional DLL files for gathering credentials. The downloaded DLLs for this malware often get stored in the root of the ProgramData
folder, a location that does not typically contain DLL content for Windows systems. The content of the DLL files themselves are the same as used by Raccoon; Vidar simply stores them in a different folder.
Testing
Start testing your defenses against stealers using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
As a category of threats, information stealers leverage far too wide a range of behaviors for us to offer meaningful testing guidance. However, security teams may be able to refine detection coverage for these and other stealers by running atomics for T1055: Process Injection and T1555.003: Credential from Web Browsers.
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.