Mysterious Custom Malware Collects Billions of Stolen Data Points

A nameless malware resulted in a huge data heist of files, credentials, cookies and more that researchers found collected into a cloud database.

Researchers have uncovered a 1.2-terabyte database of stolen data, lifted from 3.2 million Windows-based computers over the course of two years by an unknown, custom malware. The heisted info includes 6.6 million files and 26 million credentials, and 2 billion web login cookies – with 400 million of the latter still valid at the time of the database’s discovery.

According to researchers at NordLocker, the culprit is a stealthy, unnamed malware that spread via trojanized Adobe Photoshop versions, pirated games and Windows cracking tools, between 2018 and 2020. It’s unlikely that the operators had any depth of skill to pull off their data-harvesting campaign, they added.

“The truth is, anyone can get their hands on custom malware. It’s cheap, customizable, and can be found all over the web,” the firm said in a Wednesday posting. “Dark Web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom – advertisers promise that they can build a virus to attack virtually any app the buyer needs.”

The 26 million login credentials held 1.1 million unique email addresses, NordLocker found, for an array of different apps and services. These included logins for social media, online marketplaces, job-search sites, gaming sites, financial services, email and more.

A hacker group revealed the database location accidentally, according to NordLocker. The cloud provider hosting the data was notified so the database can be taken down, and Troy Hunt has added the compromised email addresses to his HaveIBeenPwned repository, so people can check to see if they’ve been impacted by the malware.

“This incident has been flagged as “sensitive” so it’s not publicly searchable,” Hunt explained. “For individuals, verifying your email address by the notification service will show if it was in this data set. For organizations, the domain search feature will allow you to search across the breadth of any domains you can verify control of.”

Millions of Stolen Files

On the file front, NordLocker found that the malware squirreled away 6 million files, lifted from the Desktop and Downloads folders. The booty included 3 million text files, more than 1 million image files and 600,000+ Word and .PDF files, along with random other file types.

“Over 50 percent of the stolen files were text files,” according to the analysis. “It’s likely that a lot of this collection contains software logs. It is also concerning that some people even use Notepad to keep their passwords, personal notes, and other sensitive information.”

The malware also stole 696,000 .PNG and 224,000 .JPG image files; and, it made a screenshot after it infected the computer and also took a picture using the device’s webcam.

Hand in the Cookie Jar

Around 22 percent of the cookies that were stolen were still valid on the day of the discovery, which could give the crooks the ability to carry out a range of nefarious activity.

The attackers stole an array of gaming cookies. Source: NordLocker.

“Cookies help hackers construct an accurate picture of the habits and interests of their target,” according to NordLocker. “In some cases, cookies can even give access to the person’s online accounts….[for instance], online shopping cookies are used to store shopping cart data while the user browses a shop. However, they can be used to hijack a shopper’s session to break into their account where their home address and credit-card details might be stored.”

The firm discovered cookies for e-commerce sites, gaming sites, file-sharing, video streaming and social media, among other internet destinations, plus those used to track users and serve targeted advertising.

Unfortunately, the cyberattackers also appear to have made good use of the malware to target specific apps. The database contains an array of credentials, autofill data and payment information stolen from 48 applications.

“The research shows that the malware targeted apps, mostly web browsers, to steal the vast majority of data,” according to the analysis. “The malware also stole data from messaging apps, email clients, file-sharing clients and some gaming clients.”

The top 10 targeted apps are as follows:

  1. Google Chrome (19.4 million entries)
  2. Mozilla FireFox (3.3 million entries)
  3. Opera (2 million entries)
  4. Internet Explorer/Microsoft Edge (1.3 million entries)
  5. Chromium (1 million entries)
  6. CocCoc (451,962 entries)
  7. Outlook (111,732 entries)
  8. Yandex Browser (79,530 entries)
  9. Torch (57,427 entries)
  10. Thunderbird (42,057 entries)

How to Stay Safe from Custom Malware

Unfortunately, custom malware is difficult to fight once a device is infected, NordLocker researchers said, because as a novel threat, antivirus can’t recognize it. So, prevention is the best approach.

They recommended the following best practices:

  • Web browsers are not good at protecting sensitive data. Use password managers to protect your credentials and auto-fill information.
  • Malware can’t access encrypted files.
  • Some cookies are valid for 90 days, and some don’t expire for an entire year. Make deleting cookies a monthly habit.
  • Peer-to-peer networks are often used for spreading malware. Only download software from the developer’s website and other well-known sources.
  • All malware gets recognized eventually. Make sure that your antivirus is always updated to prevent old viruses from slipping through the cracks.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles