Cybercriminals use Stealer-type malware to steal cookies

By Heimdall: With several digital threats emerging every day, cybercriminals are undoubtedly betting on using stealer-type malware (focused on stealing information) to make a profit from the stolen data. As an example, we can mention the malware known as Redline Stealer, which has become one of the main choices of cybercriminals for stealing data, be it credentials or cryptocurrency wallets.

It is worth noting that there is a wide variety of stealing malware, which makes it easy to steal accounts by using cookies from sessions saved in browsers.

After obtaining a large amount of credential information from victims all over the world, these cybercriminals end up selling the information in "log" format. The sale can take place on cybercrime channels on Telegram or on Dark Web forums such as RussianMarket, Breach Forums, RuTOR, XSS and many others.

If the purchase is made, based on the information collected by the malware, the buyer can impersonate the victims using the stolen credentials or even cookies, thus making it easier to enter a corporate network using VPN credentials, carry out other types of fraud or even resell these credentials to third parties.

In this article, we're going to give you an overview of the cookie log sales market, explaining how the theft takes place and where it ends up.   

Stealer malware

Stealer or infostealer malware is considered to be a type of malware that is delivered in various formats, whether through botnets, malicious phishing email attachments, spam campaigns, malvertising campaigns, infected websites and many others.

The main function of this malware is to steal information from the infected device, including information such as:

  • Credentials stored in browsers (more than 100 types);
  • Active session cookies;
  • Credentials or FTP connection information;
  • Theft of operating system variables;
  • Browser history;
  • Browser autofill fields;
  • Tokens from the Discord application and other applications;
  • Collecting information from VPNs;
  • Collecting information from e-mail clients;
  • Collection of certain files stored on the device;
  • Collection of credential information from vaults or any other repository;
  • Collection of credentials and information from cryptocurrency wallets such as Bitcoin, Monero, etc;
  • Collection of financial information;
  • Collecting information from the device, such as the figerprint;
  • Double Factor Authenticator information collection;
  • And other information that the developers of this malware may find useful.

Another important detail is that this type of malware is offered on the Dark Web in a service format (Malware-as-a-Service), in which a user only needs to purchase a license to use this malware, sometimes paying low amounts, such as paying US$130 to use the basic version of Vidar Stelaer for 7 days according to the malware's advertisement.

Stealer Vidar announced prices

As an example, here are some of the stealers identified and monitored by the ISH intelligence team:

Announcement of the Vidar Stealer on a Dark Web forum
Example of the Stealer dashboard provided by the seller
Medusa Stealer announcement on a Dark Web forum
Announcement of the Continental Stealer on a Dark Web forum

Some of the best-known infostealer malware include:

  • Raccoon Stealer
  • RedLine Stealer
  • Aurora Stealer
  • Rhadamanthys
  • RecordBreaker
  • BlueFox
  • DuckTrail
  • BlackGuard
  • RisePro
  • StrelaStealer
  • BlueFox Stealer
  • Vidar Stealer
  • Mars Stealer
  • LokiBot
  • qBit Stealer
  • Atomic Stealer
  • TrapStealer
  • Lumma Stealer
  • Meduza Stealer
  • PureLand Stealer

It's worth pointing out that we're not limiting ourselves to just these names of stealers, we're just presenting some of the main ones that are active in the cybercrime market.

Cookies: what they are and how data is stolen

Since the second half of 2022, infostealer malware has focused on stealing cookies linked to identification and authentication, providing cybercriminals with a new type of information to be collected and used later to achieve their goals.

It's worth pointing out that stealing credentials is the most obvious method of action for these stealers and cybercriminals, but with the increased use of multi-factor authentication (MFA) to protect accounts, the approach to stealing credentials has been reduced, so cybercriminals have evolved and started stealing cookies associated with credentials in order to clone active web sessions, thus bypassing MFA.

This possibility of stealing cookies has provided a great weapon for cybercriminals, since they can acquire or steal cookies from certain users of large organizations and apply a "bypass" to the accesses, thus gaining access to the corporate network.

One of the examples of these activities was carried out by the Lapsus$ group, in which according to the authors of the cyber attack on EA, they bought a user's cookie session, giving them access to the company's Slack instance, allowing them to falsify the employee's existing login. As a result, the group stole 780 gigabytes of data, including game source code and more.

What are cookies?

A cookie is a small piece of data stored in the user's browser while accessing a website. Cookies can be used for various purposes, including keeping the user logged in, remembering website preferences, tracking sessions and others.

Browsers store session cookies in a file. In the case of Mozilla Firefox, Google Chrome and Microsoft Edge browsers, the file is in SQLite format and is found in the program's user folders, with the "auth_token" cookie, for example, being inside this file.

Example of cookies stored in a ".salite" file

The rationale for using cookie theft is that cookies associated with authentication to web services can be used by attackers in attacks known as "pass the cookie" , thus attempting to impersonate the legitimate user to whom the cookie was originally issued and gain access to web services without the need for a login.

As an example, the diagram below shows the normal method used by a user to authenticate a session on a web server.

Diagram representing the normal session on a web server

The following diagram shows how a cybercriminal carries out a "pass-the-cookie" attack.

Diagram showing the attack carried out by a cybercriminal to steal cookies

This type of attack could lead to the exploitation of web services, software-as-a-service, lateral movement, email compromises and many other types of access that can be obtained with the session cookie.

Therefore, we also present some examples of actions that can be used to foil any attempts at these types of attacks aimed at stealing cookies through malware.

How to protect yourself

Heimdall, ISH's threat intelligence team, recommends regularly clearing cookies and other authentication information from browsers, thus reducing the potential attack surface provided by browser profiles, and organizations can try to use tools to control the period of cookies allowed.

In addition to these recommendations, some others can be used to avoid becoming infected with stealer malware, such as:

  • Update software regularly: Keep your operating system, browser and all software, especially security software, up to date.
  • Use antivirus software: Install and maintain antivirus software.
  • Enable the Firewall: Use your operating system's firewall or a third-party firewall to monitor and control your computer's incoming and outgoing traffic.
  • Practice Safe Browsing:
    • Avoid clicking on unknown or suspicious links.Don't download from unreliable sources.Always check URLs to ensure that you are visiting legitimate sites.
    • Use private browsing when necessary.
  • Cybersecurity education: Be aware of common phishing and social engineering tactics.
  • Use Strong Passwords and Password Managers: Create strong, unique passwords for each account and consider using a reliable password manager to store them safely.
  • Enable Two-Factor Authentication (2FA): Whenever possible, enable 2FA for your online accounts.
  • Beware of Email Attachments and Downloads: Be cautious when opening email attachments or downloading files from unsolicited emails, especially if they look suspicious or come from unknown senders.
  • Limit User Privileges: Use accounts with limited privileges for everyday use, reserving administrative accounts only for tasks that require them.

ISH has a Threat Intelligence team prepared to anticipate and mitigate risks, protecting valuable assets and maintaining business continuity and integrity. Contact us and find out more.