Hacking groups are using a stealer-as-a-service business model to spread infostealer malware and steal credentials from online gaming and payment accounts.
Threat intelligence firm Group-IB detected 34 new Russian-speaking groups that are spreading multiple infostealer variants. The researchers say the groups are stealing user credentials from individuals on online gaming platforms such as Steam and Roblox, as well as payment details from Amazon and PayPal accounts. The malware is also compromising cryptocurrency wallets using victims’ browsers.
The attacks, mainly targeting victims in the United States, Brazil, India and Germany, have compromised 890,000 individuals so far to steal 50 million passwords, which are estimated to be worth $5.8 million in darknet market forums, Group-IB says.
The stealer-as-a-service groups evolved from Classiscam scam-as-a-service groups, deploying similar tactics for credential theft, including hosting malware on spoofed websites, using Telegram bots to generate malicious content and actively communicating with other members, Group-IB says.
Some of these groups have 200 active members and rely on hierarchical systems for operation, according to Group-IB. Typically, administrators at the top of the chain hand over malware to the lower-ranking malware scammers in exchange for stolen data or money.
Scammers are tasked with driving traffic to fake websites that impersonate well-known companies and convincing victims to download malicious code. The spoofed sites typically masquerade on social media as links to popular video game reviews on YouTube, non-fungible token sites or lucky draws and lotteries.
Among the infostealer variants deployed, RedLine is the most popular – 23 of the 34 groups currently use it. Raccoon is ranked second – eight groups currently use it. Some other groups use custom stealers or a combination of the three malware variants, the report says.
Group-IB says a lower barrier to entry is the main reason behind the proliferation of these groups.
“Beginners do not need to have advanced technical knowledge, as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers become infected with a stealer, however, the consequences can be disastrous,” the report says.
Due to the scale of the groups’ operation, Group-IB recognizes the hackers as highly “dangerous” and recommends users refrain from downloading software from unsafe websites or rely on isolated operating systems for software installation. The group also advises users to save passwords in browsers and regularly clear their browser cookies.