Stealers | Role in modern realities

All information provided is taken from public sources, is for informational purposes only and does not call for action!

Created with the support of LummaC2 channel

What is a stealer?

It is a malware designed to steal valuable data from an infected machine such as cookies, logins and passwords, desktop screenshots, etc.

How does the stealer work?

This virus sneaks into the storages of frequently used programs (mainly browsers) and steals everything from there: your saved cookies, logins and passwords. Then, the stealer sends the obtained data to the attacker's email.

Sometimes this type of virus has an additional self-delete function. A naive user will not even realize that his information has been stolen until his password no longer matches his e-mail, social network or, worse, his electronic wallets.

Why is this attack so dangerous? Often, antivirus programs are powerless against the stealer, because the malware can be easily scripted.

When an infected program starts to run, the virus takes control first. The virus infects other programs and also performs planned destructive actions. To disguise its actions, the virus is not always activated, but only when certain conditions are met (expiration of a certain time, execution of a certain number of operations, occurrence of a certain date or day of the week, etc.).

A stealer is a program code that steals passwords and other data from a computer. In the past, the data was sent to a sniffer, but now codes that send stolen data to a telegram are actively spreading across the Internet.

How malware works

Stealers come in different flavors, from different coders with different capabilities. They can steal all your saved passwords from all browsers, sessions from Telegram and other messengers, cookies (for logging into websites), wallet files of popular cryptocurrencies for further cashing out, desktop files of a certain extension .doc/.docx/.txt/.log (often people keep a file with passwords right on their desktop).

All this data comes to you in the admin panel from the styler, where it is indicated from which IP address and computer name it all came. Roughly speaking, we can take all the most valuable things that may be on the computer.

After buying the virus, you are usually given a ready-to-use version of the software with access to the admin panel, and you don't need to customize anything else. An example of the panel is shown in the picture below.

How not to become shaggy yourself?

First you need to put a good antivirus, because it at least somehow protects. Without antivirus you will "catch" everything. On the Internet often write what is a styler and how to create it, even provide programs for their creation. But often the programs do not work, and they themselves have a styler. Each downloaded file should be checked without fail, so as not to lose your data. There are also programs that remove the styler from the computer. It is also recommended to check your PC for viruses using special utilities, such as DrWeb Cure It.

There is little information on the internet about what Stealers are and how to use them. You need to remember that they are created for a reason, for fun. Their main purpose is to extract useful information from the victim's computer for further monetization.

Store your passwords in the cloud, the password of which you will know as a reminder, this is the safest way to protect your data. Never save passwords and do not use any autocomplete forms, when you use currency exchangers for example, your card details, phone number and e-mail can be autocompleted.

Stealers market

The most popular styler by far is the LummaC2 In second place is the Racoon and closing the top three is industry old boy RedLine.

Stealers popular with Russian-speaking attackers collect system information that includes:

• User name;
• Computer name;
• A list of installed software;
• Hardware details;
• Passwords, cookies, bank card and cryptocurrency wallet data saved in browsers.

If a user accessed VKontakte, Yandex, Mail.ru or Gmail from this computer, fraudsters can gain access to their accounts in these services. To do this, it is enough to download cookies stored in the browser - even without entering a password.

Stored passwords can also help gain access to many, even quite secure services. Usually stolen email accounts are then used for spamming, and login details for gaming services are sold. But if card and cryptocurrency wallet data is on the PC, the fraudster can also steal the user's money.

Distribution methods and traffic

Scammers use a variety of stealer distribution schemes from point attacks to installs:

YouTube video

Worker posts a video on the channel with a review of a mod for a game - an add-on created by third-party developers. The link to the download is left in the description or in the attached comment. Worker may not even post his own video: sometimes it is enough to publish a link to the archive as a comment to another user's video. Sometimes accounts that were also hijacked with the help of a stealer are used.

It has also become common to distribute malicious files under the guise of download links for hacked popular services:

Forums

Various forums can be used for distribution - both gaming and specialized forums, for example, about cryptocurrency mining. Accordingly, published posts (often copied) with a link to download mods or special software for the same mining. Often for more trust from users, fraudsters first bruteforce login data for other participants in discussions and from the resulting accounts are looking for users with a good rating on the forum to publish posts on his behalf. Logs obtained from forums about mining are very profitable: if a user downloads mining software, he usually has a cryptocurrency wallet.

Social media

A fraudster can find posts, for example, with raffles, copy the account of the administrator of the group in which the raffle was held, and then write to the participants that they have won and only need to fill out a questionnaire in a special application. After that, the attacker sends them a file or a link to this "application". The scammer can also distribute the styler with the help of bait posts, for example, describing the scheme of earning money. This method was used earlier (judging by the manuals), but is no longer relevant now.

NFT

Distribution using NFT brings a lot of profits as most victims are authorized through a computer in their cryptocurrency wallet. On sites selling NFT, the scammer selects an artist and, using open sources, checks the contents of his wallet and, if it is empty, looks for a new victim author. Then, using a nickname, finds this artist in social networks, writes to him and in the process of dialog sends a link to download the file. It can be submitted, for example, as a selection of works or a list of documents.

To practice!

A seemingly nerdy and useless topic... but, based on experience, at least half do not present the whole picture. So let's reflect visually.

So, let's visualize it in the form of a diagram:

• Traffic + malware = stuff = monetization

In short, we have traffic, which eventually leads to you having installs of your exe file on users' computers (Install's). From the user's computer you can get useful material, which you turn into money.

Stages:

1. Traffic consists of traffic itself and the method of turning traffic into installs. In our case, it is a trivial download and installation of a file from the site. We will not consider bindings due to their dying.
2. Software consists of software selection and its configuration.
3. Material for work consists of logs, access to PC/phone, data interception.
4. Profit consists of active and passive profit

• (Traffic channel + site) + customized software = Logs + possible access to PC / phone + keylogger (if necessary) = Active and passive income.

A conversion site consists of the site itself, tested and sharpened for maximum conversion and a well-thought-out legend/thematic. Here we will also add analytics (TDS system). Here we will also add anti-cloaking. We will also add a good crypto. Also here we will add hosting for websites and possible hosting for your software. More on that below. Our scheme grows and becomes uncomfortable visually.

• (Traffic channel + (legend + maximum conversion site + TDS system + anti-cloaking + crypt file)) + customized software = Logs (+ possible access to PC / phone) + keylogger (as needed) = Logs + possible access to PC / phone + keylogger (as needed) = Active and passive income.

Now the question. Do a lot of people even think about it, how much they need to work? Very few...

Every single one! Every step needs to be worked out! Every step! And detailed, thoughtful and attentive. If one of the multipliers equals zero, your whole multiplication will be zero. That's the life, isn't it?

And now I'll finish it for those who still have rose-colored glasses. No one will assemble this scheme for you. So let's go to Google and start to study thoughtfully what and how this world works and works.