Stealers

Analysis

The last few years have seen organizations embrace remote work and technologies that allow employees to work outside the traditional perimeter of an enterprise network. Technologies that allow this kind of work to occur include VPNs, remote access solutions, web applications, and more, and all of these technologies require one thing to get started: credentials. As the enterprise network perimeter becomes less important, the access of employees becomes a point for adversaries to target for initial and persistent access to organizations. Information stealer malware such as RedLine, Vidar, and Raccoon all gather credentials from various sources on a computer system, including password managers, web browsers, files on disk, and more. When used properly, an instance of stealer malware can gather credentials that enable privileged and persistent access to an enterprise in the course of a minute or less.

Stealing the spotlight

Red Canary and the larger information security community seemed to witness a rise in the use of stealer malware in 2022, with several stealers making it into our top 10 lists during various months throughout the year. We observed RedLine, Raccoon, and Vidar malware across multiple customer environments in various industries. We observed that no industry is immune to stealer malware and the spread of such malware is often opportunistic, usually through advertising and SEO manipulation. Most often masquerading the malware as fake or trojanized installer files, adversaries found victims unwittingly looking for malware on compromised or fake sites disguised as download pages for legitimate tools. In many of these instances, the adversaries deploying the malware also chose to sharply increase the size of their malware files with padding to prevent security tools and sandboxes from effectively handling the stealers during analysis. This large sample size can significantly hinder analysis with sandboxes due to upload size restrictions, and it can hinder analysis tools on your local system by causing them to slow down while processing a large file.

This use of stealers gained high visibility in 2022 thanks to LAPSUS$ conducting high-profile breaches. As part of their strategy to gain initial access to targeted organizations, LAPSUS$ relied on gaining initial access with credentials taken by RedLine and other stealer malware and sold afterward. This strategy proved extremely successful, resulting in multiple breaches for high-profile organizations such as Uber and Okta.

We observed RedLine, Raccoon, and Vidar most commonly during the year, and each of these threats has retained a long-held share of the illegal stealer market. In fact, Raccoon and Vidar have evolved from older families to remain relevant and effective. While these stealers took the spotlight, additional stealers operated at lesser prevalence during the year, including some new players such as Aurora Stealer, OriginLogger, and Rhadamanthys. Adversaries looking for stealer malware find no shortage of options that simply evolve and grow with efficacy.

Detection opportunities

Detection opportunities for stealer malware vary for each family. Some families such as RedLine do not leave file modification or registry evidence on disk for detection, while others, such as Raccoon, do. This means that detection depends on the different points of evidence that each malware family leaves behind. For example, RedLine is developed using the .NET Framework and it contains all the code necessary for taking information from browsers. During execution, RedLine leaves little telemetry but is often injected into other processes, which may be easily detected or mitigated depending on the process the adversary targets for injection. In the case of Raccoon and Vidar, these native C/C++ stealers rely on external DLLs for browser password theft. During execution, we can detect Raccoon and Vidar by identifying those DLL downloads and module loads.

Uncommon processes without command-line arguments and having network connections

Adversaries that deploy RedLine often combine the malware with different products intended to hide RedLine from security tools. These products often inject RedLine into unexpected processes such as InstallUtil.exe, MSBuild.exe, aspnet_compiler.exe, and more. While their intention to hide is clear, they usually don’t specify command-line arguments for these processes, which require arguments for successful legitimate execution. In addition, these processes don’t commonly establish external network connections. When taken together, these data points suggest that malware may have been injected into the suspicious process. While this isn’t always an indicator of RedLine stealer, it can help identify multiple malware families. See the Process Injection portion of this report for detailed detection guidance.

File modifications to AppData\LocalLow\*.dll

Raccoon stealer must download and load additional DLL files into memory so it can gather credentials from Chromium and Gecko-based web browsers. The downloaded DLLs often get stored in the AppData\LocalLow folder, which does not typically contain DLL content for Windows systems. These files include:

• AppData\LocalLow\nss3.dll
• AppData\LocalLow\mozglue.dll
• AppData\LocalLow\sqlite3.dll
• AppData\LocalLow\msvcp140.dll
• AppData\LocalLow\vcruntime140.dll
• AppData\LocalLow\freebl3.dll
• AppData\LocalLow\softokn3.dll

File modifications to ProgramData\*.dll

Vidar stealer (and its derivatives) must also download and load additional DLL files for gathering credentials. The downloaded DLLs for this malware often get stored in the root of the ProgramData folder, a location that does not typically contain DLL content for Windows systems. The content of the DLL files themselves are the same as used by Raccoon; Vidar simply stores them in a different folder.