The information-stealing malware market is constantly evolving, with multiple malware operations competing for cybercriminal customers by promoting better evasion and increased ability to steal data from victims.
Information stealers are specialized malware used to steal account passwords, cookies, credit card details, and crypto wallet data from infected systems, which are then collected into archives called ‘logs’ and uploaded back to the threat actors.
These logs of stolen data are used to fuel further attacks or sold on marketplaces for prices ranging between $1 to $150, depending on the victim.
Cybersecurity intelligence firm KELA has compiled a report presenting the rise of variants and malware-as-a-service (MaaS) operations that have grown substantially in the first quarter of 2023, raising the associated risk for organizations and individuals.
“In this report, KELA focuses on new infostealers like Titan, LummaC2, WhiteSnake, and others who have recently emerged from the cybercrime underground and have already gained popularity among threat actors,” Cyber Threat Intelligence Analyst Yael Kishon said in a report shared with BleepingComputer.
The emerging info-stealers
Although older strains like RedLine, Raccoon, and Vidar continue to have a significant presence, and newer families like Aurora, Mars, and Meta are still growing, new malware families are also trying to make a name for themselves this year.
KELA highlights the following four information-stealing operations that launched over the past year:
Titan: Titan first appeared on Russian-speaking hacker forums in November 2022, promoted as a Go-based info-stealer targeting data stored in 20 web browsers.
Its Telegram channel counts over 600 subscribers. On March 1, 2023, its authors released version 1.5, and on April 14, and teased an upcoming new version, indicating that this is a very active project.
Titan is sold for $120/month (beginners), $140/month (advanced), or $999/month (teams).
LummaC2: LummaC2 targets over 70 browsers, cryptocurrency wallets, and two-factor authentication extensions.
In January 2023, the project had a reboot on Telegram, which currently has over a thousand subscribers, and since February 2023, it has been offered for purchase through ‘RussianMarket.’
LummaC2 sells for $250 to $1000 per month, depending on the selected features, and KELA says the malware enjoys a very good reputation in the cybercrime underground.
LummaC2 also runs a reseller program, giving agents a 20% cut for new subscriptions they bring on the platform.
Stealc: First analyzed by SEKOIA in February 2023, Stealc is a lightweight stealer with automated exfiltration that targets over 22 web browsers, 75 plugins, and 25 desktop wallets.
It is sold for $200/month, and its popularity is constantly increasing.
Previously, it has been seen distributed via YouTube videos that promote laced cracked software.
WhiteSnake: This strain was first promoted on hacker forums in February 2023 as an email, Telegram, Steam, and cryptocurrency wallet stealer.
It can target both Windows and Linux systems, which is rare in this field.
WhiteSnake has over 750 subscribers on Telegram, selling for $140/month or $1,950 for lifetime access.
Cloud of Logs
KELA’s report also highlights a new product type that has emerged lately, named “Clouds of Logs,” which is to sell subscriptions to access private cloud-hosted log collections created by threat actors distributing info-stealer malware.
Clouds of logs is a more private and, presumably, safer alternative to automated log markets, created to give data sellers a simpler way to monetize their activity without the involvement of middlemen.
The emergence of new info-stealers priced competitively lowers the entry barrier for cybercriminals, especially in the case of Titan, which sells for just $120/month.
KELA believes that the Malware-as-a-Service market will preserve its popularity this year, so the use of info-stealers will continue to be substantial.