The last few years have seen organizations embrace remote work and technologies that allow employees to work outside the traditional perimeter of an enterprise network. Technologies that allow this kind of work to occur include VPNs, remote access solutions, web applications, and more, and all of these technologies require one thing to get started: credentials. As the enterprise network perimeter becomes less important, the access of employees becomes a point for adversaries to target for initial and persistent access to organizations. Information stealer malware such as RedLine, Vidar, and Raccoon all gather credentials from various sources on a computer system, including password managers, web browsers, files on disk, and more. When used properly, an instance of stealer malware can gather credentials that enable privileged and persistent access to an enterprise in the course of a minute or less.
Stealing the spotlight
Red Canary and the larger information security community seemed to witness a rise in the use of stealer malware in 2022, with several stealers making it into our top 10 lists during various months throughout the year. We observed RedLine, Raccoon, and Vidar malware across multiple customer environments in various industries. We observed that no industry is immune to stealer malware and the spread of such malware is often opportunistic, usually through advertising and SEO manipulation. Most often masquerading the malware as fake or trojanized installer files, adversaries found victims unwittingly looking for malware on compromised or fake sites disguised as download pages for legitimate tools. In many of these instances, the adversaries deploying the malware also chose to sharply increase the size of their malware files with padding to prevent security tools and sandboxes from effectively handling the stealers during analysis. This large sample size can significantly hinder analysis with sandboxes due to upload size restrictions, and it can hinder analysis tools on your local system by causing them to slow down while processing a large file.
This use of stealers gained high visibility in 2022 thanks to LAPSUS$ conducting high-profile breaches. As part of their strategy to gain initial access to targeted organizations, LAPSUS$ relied on gaining initial access with credentials taken by RedLine and other stealer malware and sold afterward. This strategy proved extremely successful, resulting in multiple breaches for high-profile organizations such as Uber and Okta.
We observed RedLine, Raccoon, and Vidar most commonly during the year, and each of these threats has retained a long-held share of the illegal stealer market. In fact, Raccoon and Vidar have evolved from older families to remain relevant and effective. While these stealers took the spotlight, additional stealers operated at lesser prevalence during the year, including some new players such as Aurora Stealer, OriginLogger, and Rhadamanthys. Adversaries looking for stealer malware find no shortage of options that simply evolve and grow with efficacy.