SafeBreach researchers have identified a method that allows criminals to steal sensitive info without being caught
SafeBreach, which develops a platform that enables its customers to improve readiness for attacks through simulations, has identified a unique method that allows online criminals to commit the perfect crime without the chance of being caught and gaining maximum profit.
The company’s researchers have found a method to collect vast amounts of stolen user credentials by executing searches on VirusTotal, the online service used to analyze suspicious files and URLs.
With a €600 VirusTotal license and a few tools, the research team managed to collect more than a million credentials. The goal was to identify the data a criminal could gather with a license for VirusTotal, which is owned by Google and provides a free service that can be used to upload and check suspicious files and links using several antivirus engines.
A licensed user on VirusTotal can query the service's dataset with a combination of queries for file type, file name, submitted data, country, and file content, among others. The SafeBreach team created the idea of "VirusTotal hacking" based on the method of "Google hacking," which criminals use to look for vulnerable websites, Internet of Things devices, Web shells, and sensitive data leaks.
At least one million files identified as malware
The researchers used known malware including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye as well as known forums such as DrDark and Snatch_Cloud to steal sensitive data. They found their method works at scale.
RedLine Stealer is a form of malware sold on underground forums via a stand-alone purchase or subscription. It uses browsers to collect data such as saved credentials, autocomplete data, and credit card details.
When it runs on a target machine, the malware takes a system inventory that includes information such as username, location data, hardware configuration, and the details of security software.
RedLine Stealer can upload and download files and execute commands.
To start, the researchers used VirusTotal Query to search for binaries identified by at least one antivirus engine as RedLine — which returned 800 results. They also searched for files named DomainDetects.txt, which is one of the file names the malware exfiltrates. This returned hundreds of exfiltrated files.
They then turned to VirusTotal Graph, which allows licensed VirusTotal users to visually explore the dataset. There, the researchers found a file from their search results was also included in a RAR file containing exfiltrated data belonging to 500 victims — including 22,715 passwords to many different websites. Additional results included even larger files, containing more passwords. Some were for government-related URLs, the researchers noted.
From a test that the company did, it can be seen that about 2.2 million files are uploaded to the VirusTotal service, of which at least one million files are identified by one antivirus as a malware file. It is estimated that the average file size is about 90 terabytes, accessible to those who pay for the minimum subscription, and even more so for those who pay for a premium service.
The researchers also found that the hackers who carry out the actual attacks use virustotal as a platform to post stolen information as a teaser in order to persuade criminals to come to their forum and acquire all the stolen information. The published information contains thousands of passwords of attackers in each publication.
The SafeBreach team improved its queries as it explored VirusTotal. For example, they found some attackers compress victims' data in a large archive file. VirusTotal provides a way to search for archive files containing fixed hard-coded file names, so when they found a single file, they also found stolen data belonging to hundreds of victims.
The company reached out to Google with their findings and requested the files containing personal data from VirusTotal. They also advised periodically searching for, and removing, files with sensitive user data and banning API keys that upload those files.
SafeBreach also advised Google to add an algorithm that disallows uploading of files with sensitive data that contains plaintext, or encrypted files with the decryption password attached, in text or an image.
"It is quite a straightforward technique, which doesn't require strong understanding in malware. All you need is to choose one of the most common info stealers and read about it online,” said Tomer Bar, director of security research at SafeBreach: A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach.
Tomer Bar. Photo by Meir Cohen
“We called it the perfect cyber-crime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity. Once victims have been hacked by the original hacker, most have little visibility into the sensitive information uploaded and stored on VirusTotal and other forums. The reduction should be done mainly by the suppliers of such reservoirs."