Infostealer malware activity rose notably in late 2023, with LummaC2, RedLine, and Raccoon leading the field and expanding the scope of data exfiltrated from users and organizations. The ReliaQuest report also outlines case studies, risks to sectors like healthcare and finance, and practical mitigations such as training, EDR in prevent/block mode, browser password controls, and stricter application control. #LummaC2 #RedLine #Raccoon #ReliaQuest #DLLSideLoading #Spearphishing #CredentialDumping
Keypoints
- Infostealer activity on cybercrime marketplaces increased by 30.5% from Q3 to Q4 2023.
- These tools harvest usernames, passwords, cookies, credit card data, crypto wallets, browser history, and more, often operating as part of botnets.
- The three most prevalent infostealers in 2023 were LummaC2, RedLine, and Raccoon; LummaC2 grew fastest due to unique distribution methods.
- Infostealers can serve as initial access for further attacks and enable credential stuffing and bank account access in targeted operations.
- A notable LummaC2 case showed DLL side-loading and multi-domain delivery vectors leading to a C2 connection, illustrating evolving stealth and delivery techniques.
- Recommended mitigations include employee training, EDR in prevent/block mode, restricting browser-saved passwords, and tightening application control.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – LummaC2 distribution via trojanized software files and spearphishing emails equipped with deceptive links or attachments. Quote relevant content: (‘LummaC2 is best known for using unconventional distribution tactics, including the deployment of trojanized software files and spearphishing emails equipped with deceptive links or attachments.’)
- [T1566.002] Spearphishing Link – LummaC2 distribution via spearphishing emails equipped with deceptive links or attachments. Quote relevant content: (‘…spearphishing emails equipped with deceptive links or attachments.’)
- [T1003] Credential Dumping – Infostealers harvest usernames and passwords and other credentials. Quote relevant content: (‘Infostealers are designed to infiltrate computers and transmit sensitive data, including: Usernames and passwords.’)
- [T1574.002] DLL Side-Loading – LummaC2 used DLL side-loading to bypass security measures and establish a C2 connection. Quote relevant content: (‘Using DLL side-loading enabled the adversary to bypass security measures, execute the malware, and establish a C2 connection to ‘hxxp://ebalkayiu[.]fun/api’.’)
- [T1071.001] Web Protocols – C2 traffic and data exfiltration over web protocols to command and control servers. Quote relevant content: (‘transmit data via command-and-control (C2) servers.’)
- [T1059.001] PowerShell – Attackers’ tooling includes PowerShell; defenses note restricting use. Quote relevant content: (‘restricting the usage of PowerShell, Wget, and Python can reduce the chance of successful execution.’)
- [T1056.001] Keylogging – Infostealers often co-occur with keyloggers, enabling broader data theft. Quote relevant content: (‘keyloggers’)
- [T1078] Valid Accounts – Credential stuffing using stolen credentials to gain access across corporate accounts. Quote relevant content: (‘Credential stuffing attacks: Threat actors may use stolen credentials to perform credential stuffing attacks on corporate accounts.’)
Indicators of Compromise
- [Hash] LummaC2-related IoCs – 7a35008a1a1ae3d093703c3a34a21993409af42eb61161aad1b6ae4afa8bbb70, a9e9d7770ff948bb65c0db24431f75dd934a803181afa22b6b014fac9a162dab
- [URL] C2/data exfiltration endpoints – hxxp://ebalkayiu[.]fun/api, hxxps://1july[.]com/rMKNqt3S
- [URL] Download delivery and malware hosting – hxxps://download2361.mediafire[.]com/kz5hd3dkenwgED02vBaT_kwGFdmwQ1 iAY4QGf3SAcLidcmbEn-K1HrKyPpR6ADOq7VjezmdEoNhZJFB_Wze08J1MU0iH_ oPWGS6Myj12LuXef9l7y_Em63yxedx88ezRHTt44POY858wKHjwxqr2errwIun SIHwCNMWQNQPY4_0FkZKD/wt0hho282tuxy9d/Passwrd-2023_Setup.rar
- [Domain] Suspected command-and-control domain – sustac[.]com
Read more: https://www.reliaquest.com/blog/common-infostealers/