[ad_1]

Safety researchers have discovered a technique to gather huge quantities of stolen consumer credentials by executing searches on VirusTotal, the web service used to research suspicious recordsdata and URLs.
With a €600 (round $679) VirusTotal license and some instruments, the SafeBreach analysis crew collected greater than 1,000,000 credentials utilizing this method. The aim was to determine the info a felony may collect with a license for VirusTotal, which is owned by Google and offers a free service that can be utilized to add and test suspicious recordsdata and hyperlinks utilizing a number of antivirus engines.
A licensed consumer on VirusTotal can question the service’s dataset with a mixture of queries for file kind, file title, submitted knowledge, nation, and file content material, amongst others. The SafeBreach crew created the concept of “VirusTotal hacking” primarily based on the tactic of “Google hacking,” which criminals use to search for weak web sites, Web of Issues units, Internet shells, and delicate knowledge leaks.
Many data stealers gather credentials from totally different boards, mail accounts, browsers, and different sources, and write them to a set hard-coded file title — for instance, “all_credentials.txt” — then exfiltrate this file from the sufferer’s system to the attackers’ command-and-control server. Utilizing this methodology, researchers took VirusTotal instruments and APIs comparable to search, VirusTotal Graph, and Retrohunt, and used them to seek out recordsdata containing stolen knowledge.
“It’s fairly an easy method, which does not require robust understanding in malware,” says Tomer Bar, director of safety analysis at SafeBreach. “All you want is to decide on one of the widespread data stealers and examine it on-line.”
The researchers performed their analysis utilizing identified malware together with RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye in addition to identified boards comparable to DrDark and Snatch_Cloud to steal delicate knowledge. They discovered their methodology works at scale.
RedLine Stealer is a type of malware offered on underground boards by way of a stand-alone buy or subscription. It makes use of browsers to gather knowledge comparable to saved credentials, autocomplete knowledge, and bank card particulars. When it runs on a goal machine, the malware takes a system stock that features data comparable to username, location knowledge, {hardware} configuration, and the small print of safety software program. RedLine Stealer can add and obtain recordsdata and execute instructions.
To start out, the researchers used VirusTotal Question to seek for binaries recognized by not less than one antivirus engine as RedLine — which returned 800 outcomes. Additionally they looked for recordsdata named DomainDetects.txt, which is among the file names the malware exfiltrates. This returned a whole lot of exfiltrated recordsdata.
They then turned to VirusTotal Graph, which permits licensed VirusTotal customers to visually discover the dataset. There, the researchers discovered a file from their search outcomes was additionally included in a RAR file containing exfiltrated knowledge belonging to 500 victims — together with 22,715 passwords to many various web sites. Extra outcomes included even bigger recordsdata, containing extra passwords. Some have been for government-related URLs, the researchers famous.
The researchers’ course of for utilizing every of those instruments is detailed in a writeup of their findings.
The “Excellent” Cybercrime
Whereas there are many data stealers to select from, the researchers selected 5 generally used ones due to their better odds of discovering recordsdata exfiltrated by them within the VirusTotal dataset.
The SafeBreach crew realized and improved its queries because it explored VirusTotal, Bar says. For instance, they discovered some attackers compress victims’ knowledge in a big archive file. VirusTotal offers a option to seek for archive recordsdata containing fastened hard-coded file names, so once they discovered a single file, in addition they discovered stolen knowledge belonging to a whole lot of victims, he explains.
“A felony who makes use of this methodology can collect an virtually limitless variety of credentials and different user-sensitive knowledge with little or no effort in a brief time period utilizing an infection-free method,” researchers wrote of their weblog put up. “We known as it the proper cyber crime, not simply attributable to the truth that there is no such thing as a threat and the trouble may be very low, but additionally as a result of incapability of victims to guard themselves from such a exercise.”
The researchers reached out to Google with their findings and requested the recordsdata containing private knowledge from VirusTotal. Additionally they suggested periodically looking for, and eradicating, recordsdata with delicate consumer knowledge and banning API keys that add these recordsdata.Â
SafeBreach additionally suggested Google so as to add an algorithm that disallows importing of recordsdata with delicate knowledge that accommodates plaintext, or encrypted recordsdata with the decryption password connected, in textual content or a picture.
[ad_2]
