Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

Info Stealers: Cheap but Dangerous

intro image

Written by Dima Khrustalov

Executive Summary

  • Info stealers (aka Stealers) are Trojan malware programs designed to collect and steal information from a victim’s device.
  • Stealers have been extremely popular among cybercriminals as they offer powerful functionality for a wide range of cybercrimes and digital fraud at low prices, yet require low technical know-how to operate.
  • Today’s most popular stealers in the Russian-language underground community - Raccoon, VIDAR, Mars and Redline – are highly affordable. Monthly subscriptions range between $140 - $300.
  • Raccoon and VIDAR stealers are also offered as MaaS1. Customers are provided with all the necessary operational infrastructure to run the malware campaign.
  • The underground stealer ‘marketplace; has evolved in that there are more and more services that sell the results of a stealer’s execution against a botnet (or set of victims). Such results are often referred to as “logs”.

Background

Info stealers (aka Stealers) are Trojan malware programs designed to collect and steal information from a victim’s device. Notably, these stealers do not persist on a victim’s machine. Rather, they execute once, collect and exfiltrate all the necessary info, and then self-destruct. The information collected by stealers is sent to a threat actor as a log via email, messenger chat (e.g. Telegram), or to a command-and-control server. Stealers do not require a high level of technical knowledge to operate, and no complex infrastructure to run (unlike botnets, for example). Nevertheless, in skillful hands they are a serious threat due to the sensitive information they harvest from victims. In addition, most of the stealers today can be deployed as a separate module in botnets, increasing their functionality.


Popular Stealers

The four most popular stealers today in the Russian-language underground community are Raccoon, VIDAR, Mars and Redline.

Riccoon
Raccoon

VIDAR
VIDAR

Mars
Mars

Redline
Redline

Affordability

One of the most notable reasons for these and other stealers’ popularity is their affordability. The table below compares the monthly subscription fees for the above-mentioned stealers:

Affordability

The cheapest stealer, Mars, sells for $140 per month, while the most expensive stealer, VIDAR, sells for $300 per month. Raccoon and VIDAR are offered as MaaS - meaning that the subscription includes all of the necessary infrastructure and setup (servers, reverse proxies etc.) required to run a malware campaign. These low prices, coupled with the ease of use, lower the entry threshold for cybercriminals.

In addition, there has been an evolution in the underground stealer ‘marketplace’. There are more and more underground services that offer the results of stealers operations for sale. These are often referred to as “logs” or “info logs”. In this case, threat actors do not need to bother with running a stealer at all. All they need to do is contact one of such services and purchase logs of victims they are interested in, while the actual execution of the stealer against the victims, from initial infection to data exfiltration, is performed by the service vendor.


Functionality

The affordability and ease of use are not the only reasons behind stealers’ popularity. Stealers also offer powerful functionality for a wide range of cybercrimes and fraud. The table below compares the functional categories of the four described stealers:

Functionality
  • File Grabber - a module designed to steal files from the victim’s device. Certain files may contain sensitive information (e.g., document scans, ID scans, PII) that is very valuable in the hands of attackers.
  • Clipper - a module designed to steal cryptocurrencies by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker.
  • Passwords, cookies, autofills, history - a crucial module designed to steal saved passwords, cookies, browser autofills and browsing history. The ability to steal cookies is very powerful as it enables cybercriminals to use such cookies when taking over victims’ accounts so as to bypass 2FA controls.
  • Payment Cards - a module designed to steal payment card details (number, expiration date, CVV) saved in browser. This information is used to commit payment card fraud.
  • Build Size - the actual size of the malicious file used for infection.

As it follows from the table, all four stealers possess powerful, diverse functionality that has made them extremely popular with all sorts of cybercriminals and fraudsters who pursue different goals.

1 Malware as a Service

Don't forget

to Visit

Our Solutions


About the Author

Dima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.