[New research] The top malware hackers use to steal your users’ passwords

Today, the Specops research team is publishing new data on the types of malware hackers are using to steal passwords and sell them on the dark web. This coincides with the latest addition of over 48 million compromised passwords to the Specops Breached Password Protection service.

Specops’ database of breached and compromised passwords contains over 4 billion unique passwords that we continuously scan for in our customers’ Active Directories. The data comes from known breached passwords lists, our real-time attack monitoring system that monitors live brute force attacks, and a valuable new source: KrakenLabs, the Threat Intelligence unit of Specops Software’s parent company, Outpost24.

KrakenLabs specializes in tracking threat actors, the reverse engineering of malware, and analyzing threats to generate crucial intelligence that powers the Outpost24 Threat Intelligence solution. To coincide with the update to our breached password database, KrakenLabs have analyzed 359 million stolen passwords found in the last six months to establish the most common types of malware being used to steal credentials.

Darren James, Specops Senior Product Manager, said this about the findings: “It’s interesting to note that one particular piece of malware was responsible for nearly half of the stolen passwords analyzed. The data shows that Redline malware is the hacking community’s current favorite password-stealing toy, racking up 170 million stolen credentials over the past six months.

“This also shows how many passwords end up for sale on the dark web and highlights the danger of password reuse. If your end users are reusing work passwords on sites or devices vulnerable to malware, you could end up with compromised passwords within your Active Directory (and other applications and platforms such as Entra iD and Okta if you are synchronizing your passwords). It’s vital to have a way to continuously scan your Active Directory for breached and compromised passwords”.

Hackers’ ten favorite credential stealers

There are plenty of tools on the market for hackers to choose from, but some are responsible for more stolen passwords than others. As you can see from KrakenLabs’ data in the table below, Redline malware was behind a huge 170 million stolen passwords in the last six months alone. This means Redline was used to steal nearly half (47%) of all the passwords analyzed. This was more than the next three most popular credential stealing tools combined: Vidar (17%), Raccoon Stealer (11.7%), and Meta (10.6%).

Analysis of top three types of password-stealing malware

1. Redline

As the data shows, RedLine is an extremely popular stealer. It was discovered in March 2020 and its main goal is to export all sorts of personal information, such as credentials, cryptocurrency wallets, and financial data, then upload it to the malware’s C2 infrastructure. On many occasions, a RedLine payload is delivered along with a cryptocurrency miner to be deployed on the victim’s machine, especially in campaigns where gamers with powerful GPUs are the preferred target.

Redline is associated with a wide variety of distribution methods, although phishing campaigns are the most common. Threat actors use global events such as COVID-19 as a lure to trick people into clicking and downloading the stealer. From mid-2021 onwards, YouTube has also been used as a distribution method for RedLine, in a process as follows:

• Firstly, the threat actor compromises a Google/YouTube account
• Once compromised, the threat actor creates different channels or directly publishes videos on them
• In the description of the uploaded videos (usually ones that advertise gaming cheats and cracks, providing instructions on hacking popular games and software) threat actors will include a malicious link related to the theme of the video
• Users click the link and unwittingly download Redline onto their device, resulting in their passwords and other private information being stolen

2. Vidar

Vidar is an evolution of the well-known Arkei Stealer. It checks for the language preferences of the infected machine to whitelist some countries for further infection. Following that, it generates a Mutex and initializes the strings needed to operate. There are two different C2 versions available to hackers. The original one is associated with the paid version of Vidar, Vidar Pro. There’s also another C2 version used in the cracked version of Vidar that is distributed in underground forums, called Anti-Vidar.

In early 2022, Vidar was spotted being distributed in phishing campaigns as Microsoft Compiled HTML Help (CHM) files. Additionally, it has been detected that the malware is being distributed by the PPI malware service PrivateLoader, the Fallout Exploit Kit, and the Colibri loader. In late 2023, the malware has been observed being delivered by the GHOSTPULSE malware loader.

3. Raccoon Stealer

Raccoon Stealer is an information-stealing malware offered for sale on the cybercriminal underground. The team behind Raccoon Stealer uses a ‘malware-as-a-service’ model, allowing customers to rent the stealer on a monthly basis. It was first offered for sale on the top-tier Russian-language forum Exploit on April 8, 2019. Raccoon Stealer is promoted using the tagline: “We steal, You deal!”

Primarily, it’s been offered for sale on Russian-language underground forums such as Exploit and WWH-Club. On October 20, 2019, the threat actor also began offering Raccoon Stealer on the

infamous English-language Hack Forums. The threat actor marketing Raccoon Stealer on underground forums occasionally refer to “test weeks,” perhaps indicating that prospective hackers are able to enjoy a trial run of the product.

Where do stolen credentials end up?

Some threat actors will use stolen credentials to carry out further attacks themselves, but many will attempt to bulk sell them on for financial gain on the dark web. Other attackers will buy these credentials and attempt to use them to gain initial access your network.

The dark web is a subset of the deep web that can’t be accessed by normal web browsers. You need special software like the Tor browser, VPN service (Tor network), and onion routing to access it. The dark web isn’t solely used for cybercrime, but its underground forums and marketplaces have become notorious for identity theft, ransomware-as-a-service, phishing-as-a-service, and the sale of private data. Simply put, it’s not somewhere you want to find your end users credentials being traded among Initial Access Brokers (IABs).

Credentials are a prized asset among cybercriminals as they offer the easiest way to hack into an organization – and the dark web is where they tend to end up on sale. Without access to Threat Intelligence or tools that can scan for compromised passwords, it can be hard for organizations to know whether their end users’ credentials have ended up on the dark web.

Passwords can become compromised for all sorts of reasons, but the biggest risk to your Active Directory environment is password reuse. Even if you have an effective password policy, strong passwords can still become compromised through people reusing their work passwords on unsecure sites and devices. These could be breached and then listed for sale online without your knowledge. There’s no foolproof way to stop human behavior like password reuse, so it’s invaluable to have tools that can continuously scan your Active Directory for passwords that are known to have been compromised and could be listed on a dark web marketplace.

How Specops works with KrakenLabs to add breached credentials

Working with a Threat Intelligence team helps Specops to gather even more breached password data, by using several different techniques to gather information regarding stolen credentials. Their research monitors threat actors specialized in stealing credentials, which enables its threat analysts to discover, investigate, and infiltrate a wide variety of groups. This gives a better understanding of their methods for distributing credentials, and in most cases, allows KrakenLabs to access the raw information itself.

Besides actor monitoring threat actors, KrakenLabs also has the capability of extracting credentials from the malware used to steal them. Employing different techniques, which range from traditional sinkholing (intercepting DNS request attempting to connect to known malicious or unwanted domains) to using their own patented technology, the team can capture stolen credentials ‘in-flight.’ This means they can capture credentials while they’re being reported to the command-and-control server used to later distribute the credentials among the different clouds.

What does this mean for Active Directory passwords?

This research highlights the lengths threat actors will go to in order to both steal and purchase credentials – and how successful malware such as Redline is for facilitating this. But if your environment is secure from malware, why does that matter? The problem is password reuse. If your end users are reusing their work passwords on insecure devices, sites, and applications, this puts your organization at risk. Hackers use malware to steal passwords from insecure sites and can then easily match a victim’s user information to their place of work.

Bitwarden research found that 68% of internet users manage passwords for over 10 websites – and 84% of these people admit to password reuse. In a similar study, LastPass found that 91% of users understand the risks of password reuse, yet 61% continue to do it. Password reuse is a very challenging behavior to stop, so help from technology that can continuously monitor in defense of this threat is needed.

How to find compromised passwords like these in your network

Today’s update to the Breached Password Protection service includes an addition of over 16 million compromised passwords to the list used by Specops Password Auditor. You can find out how many of these compromised passwords are being used by your end users with a quick scan of your Active Directory with our free auditing tool: Specops Password Auditor.

Specops Password Auditor is read-only and doesn’t store Active Directory data, nor does it make any changes to Active Directory. You’ll get an easy-to-understand exportable report detailing password-related vulnerabilities that could be used as entry points for attackers. Download for free here.

Protect your organization from the risk of password-stealing malware

By monitoring the dark web, our analysts can gain information that helps organizations stay ahead of threats. For instance, knowing if your organization’s data has been leaked can help security teams change the relevant credentials and secure your systems before an attack occurs. Specops Breached Password Protection combines this threat intelligence with known breached password lists and data from our real-time attack monitoring system to create a unique database of over 4 billion unique compromised passwords.

Specops Password Policy with Breached Password Protection lets organizations continuously protect themselves against this ever-growing list of compromised credentials. The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, blocks compromised passwords in Active Directory with customizable end-user messaging.

Interested in seeing how Specops Password Policy could fit in with your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.