In Italy, the first half of 2024 saw a persistent trend in the use of malware by malicious actors, albeit with a slight decrease compared to the previous period (Clusit Report 2024). The wide range of malware available, from ransomware to other types of malicious code, gives cybercriminals a wide range of tools to target their victims.
Among them, stealers account for 78 % of malware in Italy and are mainly exploited to steal data from an infected device (Cert-Agid Report, 2023). Lumma C2, the malware that hides behind false CAPTCHAs, fraudulently stealing personal data, is among them.
Let us see together how they work and how to mitigate them.
Typically, stealers aim to obtain confidential information such as login and password credentials, credit card data, cryptocurrency wallets and files stored on victims’ computers. Unlike other types of malware, stealers are not designed to cause direct damage to the system or user data, but to steal information in a stealthy and discreet manner.
How Stealers Work
Stealers operate by intercepting data on users’ devices. The simplest ones steal information from web browsers, such as Google Chrome, Mozilla Firefox and others based on Chromium. For instance, they can access saved passwords, auto-fill data, browsing history and cookies. Some stealers are also able to steal files from the desktop and other folders, cryptocurrency wallets and two-factor authentication (2FA) extensions.
An example of a modern stealer is LummaC2, which extracts data from browsers, file systems and cryptocurrency extensions. This stealer is able to gather information from over 60 browser extensions, including 2FA tools, making it extremely effective at stealing login credentials and cryptocurrency wallets.
Stealer: technical aspects
Many modern stealers, such as LummaC2, are written in low-level languages such as C or assembly (ASM). This makes it possible to minimise dependencies and easily bypass the security mechanisms of the operating system. Thanks to these features, stealers can also operate on ‘clean systems’, i.e. on devices without additional software or protections already installed.
A crucial element for the success of such malware is their ability to act covertly. LummaC2, for instance, uses technologies that encrypt its calls to system functions, making them difficult to detect by antivirus software. In addition, calls to the system API, such as GetProcAddress, are encrypted to make their identification more complex.
Furthermore, stealers often exploit advanced techniques to circumvent architectural limitations, such as Heavens Gate technology, which allows programmes to operate on 64-bit systems, even though they were initially designed for 32-bit architectures. Support for various architectures, such as ARM, x86 and x64, allows such malware to run on different platforms, including virtual machines and newer devices.
Stealer: how to protect yourself
- H24 monitoring and response systems: MDR systems proactively monitor the entire corporate IT infrastructure with a 24-hour I-SOC that detects suspicious activity and responds to attacks in real time.
- Use of antivirus software: Modern antivirus software can detect known stealers. However, it is important to remember that cybercriminals are constantly updating their programmes, and the response time of antivirus software can be delayed.
- Regular software updates: attackers often exploit vulnerabilities in outdated software versions to infect devices.
- Be careful when downloading files: Stealers are often distributed via pirated programmes, fake updates or suspicious attachments in emails.
- Multi-factor authentication (MFA): the use of two-factor authentication makes it much more difficult for attackers to access data, even if they have managed to steal login credentials.
- Data encryption: The use of reliable encryption methods for sensitive files and cryptocurrency wallets will make it more difficult for criminals to steal data.
Conclusions
Stealers continue to be one of the most widespread threats in cyberspace, and their development is constantly evolving. Modern stealers are fast and efficient, posing a danger to both individuals and organisations.
It is crucial to remember that cyber threats evolve rapidly, and protection against them requires a holistic approach, including the use of up-to-date security tools, regular maintenance of systems and taking appropriate preventive measures.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO