Posted on August 16, 2023 at 4:27 PM

Info-Stealing Malware Exposes More Than 100,000 Hacking Forums  

Security researchers have detected 120,000 compromised systems that stored the credentials of several cybercrime forums. According to researchers, most of the computers infected in this campaign belonged to hackers.

Info-stealing malware compromises over 100,000 hacking forums

The security researchers behind this discovery noted that the passwords used to sign in to the accounts of hacking forums are significantly more robust than those used on government websites. This shows that hackers are more secretive about hacking than other institutions, such as the government, willing to hide the same information.

The researchers behind the discovery are those at Hudson Rock, who said they had analyzed 100 cybercrime forums. The researchers also noted that some threat actors had infiltrated the computers used by these hackers, and as a result, they infected their devices and stole login data.

Hudson Rock noted that 100,000 accounts compromised in this campaign belonged to threat actors. The number of credentials stolen from these cybercrime forums has surpassed 140,000.

The researchers gathered information about the stolen credentials from publicly available leaks. They also used information-stealing log details that were sourced directly from the hackers.

Information stealing logs are a form of malware that is used to search for specific locations on a computer to secure login information. One of the most common targets for the malware was web browsers because they had autofill features. Websites also contain password storage attributes that make it easier for hackers to compromise the platforms and run a malicious campaign.

The chief technology officer at Hudson Rock, Alon Gal, noted that hackers globally had been opportunistically infecting computers by promoting results for fake software. These hackers also use YouTube tutorials that lead the victims into downloading the infected software, thereby compromising their devices.

Targeted hackers were likely less skilled ones

Some victims that were targeted by this campaign include other hackers. However, the hackers that were duped are likely the ones with lesser skills. These hackers were infected the same way as any gullible internet user that attempts to take a shortcut while using the web but instead falls prey to malicious actors.

The researchers identified the compromised computers’ owners as hackers by analyzing the data contained in the info-stealer logs. This data exposed the real identity of the individuals behind the hacking campaign.

The targeted computers also contained additional credentials on these threat actors, such as emails and usernames. They also came with auto-fill data that featured the personal information of the hackers, including the addresses, names, and phone numbers. The compromised computers also contained system data such as computer names and IP addresses.

In a previous report, the researchers at Hudson Rock also noted that a renowned hacker group known as La_Citrix that sells Citrix/VPN/RDP access to companies infected their computers. However, Hudson Rock said that this hacking exploit was accidental.

While assessing the gathered data, Hudson Rock noted that over 57,000 compromised accounts held accounts with the Nulled[.]to community. This community is largely comprised of upcoming cybercriminals, showing that the hackers were targeted because they did not have sophisticated skills to identify and avert the hacking campaign.

The users with the strongest passwords on this site were those on BreachForums. According to the researchers, over 40% of the credentials had at least ten characters while featuring four different types of characters.

Some hackers also used weak passwords, such as a string of consecutive numbers. Such hackers also had a low participation level in the community. These hackers appear to be using their accounts solely to keep up with the discussions, check the data available for sale, or be informed whenever something important happens.

The researchers also said that the credentials used in the cybercrime forums were significantly stronger than the login data for government websites. However, the difference between the password strength was not much.

Hudson Rock further said that the majority of infections appeared to originate from three info-stealers. These info-stealers, namely Azorult, Raccoon and RedLine are quite popular with threat actors.

A large number of the initial access hacks begin with an info-stealer malware. This malware usually gathers all the data needed by a threat actor to impersonate a legitimate user. These hacking campaigns are usually known as system fingerprints, and they use to compromise the targeted systems.