Death by a thousand cuts: the rise and rise of information stealers

Dmitry Bestuzhev, Santiago Martin Pontiroli

Kaspersky

Abstract:

What is today’s exchange rate for Bitcoin? Should I buy the dip or quit altogether? Twitter, like other Fortune 500 companies, is working on introducing it into their paid subscription. Too many puzzles but not for the Infostealers guys. With innocent and charming names such as “Panda,” “Raccoon,” or “RedLine,” the information stealers strip victim’s from their cryptocurrency wallets in the blink of an eye. Its threat landscape continues to evolve at an unprecedented pace. It’s a booming business relying on the now proven malware-as-a-service (MaaS) model that thrives on selling subscriptions to wanna-be criminals that resell pilfered credentials in bulk.

Using XOR ciphers, base64 encoding, code protection, and innovative code obfuscation techniques, traditional crimeware threat actors are rapidly hooking up with big-name players from the APT world such as Lazarus and others. Hiding payloads in your ordinary red, green, and blue pixels and exfiltrating information using whitelisted domains.

In this talk, we are going to explain the peculiar case of DCStealer, also known as Collector Stealer, and all the variants that emerged since a modifier builder began to circulate in a Russian forum earlier this year. As with the Zeus or Zbot crimeware kit leak during 2011, these seemingly trivial incidents provide a plethora of intelligence that allows us to take a deep dive into the information stealer ecosystem. Let’s dissect and profile code and threat actors that play vital roles in this now thriving landscape