Among threat actors, stealer malware, which collects information from a target system for subsequent entry into it, is becoming increasingly popular and in demand due to the nature and type of information it targets.
Many stealers are clones of other stealers that use open source or leaked source code. Judging by forum activity, more than half of such malware seen in illegal communities does not remain in use for long.
Over the past few years, attackers have moved to selling malware as a service. This allows sellers to offer subscription-based malware at a lower price and attract a wider range of customers.
In the last few years, discussions about the stealers have been steadily increasing. Analysts believe with moderate confidence that this may be due to the observed success of subscription model hijackers such as “Redline” and “Raccoon”, which continue to be popular among threat actors.
The success of subscription stealers like “Redline” and “Raccoon” has led to an influx of imitators using the same business model.
Increase in posts in stealer-related forum threads by year
From the beginning of 2022 to the end of June, according to analyst data, there were 62 unique active threads related to the stealers “Blackguard”, “Mars” (an improved successor to the “Oski Stealer”) and “Snowflake” in several high-level forum rooms, dedicated to buying, selling and sharing malware on CryptBB, Exploit, Hackforums, Kickass, Raid Forums and XSS.
Top malware and hijacking topics in 2022
As of June 27, 2022, of the 62 topics identified, 56% had not seen any additional user activity after the topic’s 7th day of publication.
Using available data in 2021, experts identified 264 hacker-related topics in forum rooms related to the buying, selling, and distribution of malware. Of these threads, 42% saw no interaction from threatening subjects after the first week of posting, and 56% saw no activity after the thirty-day mark.
This indicates that almost half of the stealers listed for sale do not gain popularity or a significant user base. It is possible that the threat actors will decide that the stealers being sold are not worth the investment, and so they will disappear from the market.
Another reason hijackers may disappear from the market is that some forums require deposits to advertise malware.
Often, sellers looking to make a quick buck don’t want to pay this deposit, and the moderators close the thread. Examples of this situation include “Hard Stealer” and “Polo Stealer”.
There have been many cases where the source code of a malicious stealer has been open source or leaked. This leads to forks and clones of the same stealer being sold under different names in an attempt to make a quick buck.
The availability of the source code makes it easy for attackers to rebrand these forks and try to resell them. On June 22, 2022, threat actor “DildoFagins” stated on XSS that any alleged new stealers written in C# are most likely just forks of с.
Experts estimate with moderate confidence that stealers advertised as written in C# and only having the function of sending logs to a Telegram ID may be forks of “StormKitty”. Some threat actors are aware of this trend and ignore flows that are considered forks.
The experts noticed the following examples of possible “StormKitty” forks that the attackers tried to sell: “Apocalypse”, “Falcon” and “Xenon”.
In addition, many published available hijackers have a high probability of being fraudulent projects, such as the “Rust” hijacker.
The experts reviewed the stealer topics that have been discussed in the last thirty days in all forums in the Flashpoint collections.
The image below shows all threads related to buying, selling, and distributing thieves that have seen threat actors involved (thread postings) in the last thirty days. The most active topics were found in the forums including DeepTor, Exploit, Nulled and XSS.
Threads related to stealer malware that have seen activity in the last 30 days. The size of the bubble indicates the number of posts, and the saturation indicates the age of the topic.
Stealth malware (stealers) that appear larger and more graphically rich are more likely to remain popular with threat actors.