RecordStealer: A Case Study in the Persistent Threat of Info-Stealing Malware
Google security researchers recently brought attention to the lingering impact of info-stealing malware. One such threat is the RECORDSTEALER malware, also known as RecordBreaker and Raccoon Stealer V2. This info-stealer, written in C, specializes in the theft of sensitive information, including credit card data, passwords, cookies, and cryptocurrency wallets.
RECORDSTEALER was actively disseminated through malicious advertising and downloads of cracked software, often masquerading as legitimate applications. The malware was delivered in a password-protected archive, with the user unwittingly entering the password to extract it. Once successfully executed, it transmitted system information to a command-and-control (C2) server via encrypted RC4 requests. Among the exfiltrated data were unique device identifiers, usernames, and other parameters essential for further attacks.
Although RECORDSTEALER’s activity ceased following the arrest of its creator and the dismantling of its infrastructure, the tactics employed in these attacks remain in use by modern info-stealers. Cybercriminals continue to propagate malware via cracked software and disguise their malicious payloads as legitimate programs, posing a significant threat to users.
The malware’s operation involved collecting and transmitting data from infected systems. RECORDSTEALER actively harvested information from Google Chrome and Mozilla Firefox browsers, including saved passwords, credit card data, and cookies. Additionally, it was capable of stealing cryptocurrency wallet information, taking desktop screenshots, and collecting files related to applications such as Telegram and Discord.
Notably, many techniques RECORDSTEALER utilizes persist in other info-stealers, such as VIDAR and STEALC. This underscores the importance of monitoring malware activity, as even minor code alterations can hinder detection.
Various detection mechanisms combat such threats, including tracking suspicious archives and activity in directories with minimal access permissions. Detecting early signs of infection, such as creating malicious files or suspicious network requests, enables timely responses to threats and helps mitigate the consequences of data breaches.