Cybercrime
,
Fraud Management & Cybercrime
Free Stealerium Malware Grabs Desktop and Webcam Images When NSFW Content Detected
Digital blackmailers have long spammed inboxes with emails falsely claiming they have recordings of the victim caught in the act of watching adult content, demanding a ransom not to leak graphical evidence.
See Also: Why Cyberattackers Love ‘Living Off the Land’
One of many infostealers used by online criminals can now make those threats real. Information-stealing malware called Stealerium includes a feature to record users with a victim webcam at inopportune moments, says Proofpoint.
Stealerium can be set to trigger whenever it detects words such as “sex,” “porn” or similar keywords in an open browser tab. The malware grabs a desktop screenshot and photo from the webcam.
These images are fodder for sextortion shakedowns, Proofpoint researchers said. Stealerium isn’t the first malware to sport this capability, but such functionality previously remained rare, they added. Infostealer developers have mostly focused on coding their malware to grab passwords, session cookies and cryptocurrency wallet access codes.
Cybersecurity consultant Jan Kopriva, who’s an internet storm center handler for the SANS Technology Institute, recently studied a corpus of about 1,900 sextortion messages, many collected by French researcher “l0c4l,” which attackers sent to victims from June 2021 through last month. Across the messages, he found 205 unique Bitcoin addresses, plus a handful of Ethereum or Litecoin addresses listed as backups.
Across these messages, the cryptocurrency extortion demands ranged from $250 to $43,000 and averaged $1,716, he said in a Tuesday blog post.
At least some attackers profited. Kopriva reported that about 72% of the Bitcoin addresses received one or more payments, averaging $9,150 in value, although the single biggest payment was just over $75,000. “Although not all incoming payments to the addresses were necessarily connected solely to sextortion, it seems highly probable that at least most of them were,” he said.
Overall, 28% of the Bitcoin addresses received no payment, a percentage that increased to 40% when narrowed to payments made over the past 12 months. “Hopefully this indicates a decrease in the effectiveness of sextortion over time, and decreasing willingness of recipients to pay,” he said.
But, the rise in the use of infostealers such as Stealerium could alter the playing field.
Stealerium debuted in 2022. Its popularity tapered off until earlier this year, with Proofpoint’s threat researchers in May noticing an uptick in phishing attacks that wield either Stealerium or related infostealers such as Phantom Stealer that have a significant code overlap with the malware.
The code overlap isn’t surprising, given that the software is available for free from a developer who goes by “witchfindertr” on GitHub, meaning anyone can download and adapt the code.
Witchfindertr’s GitHub listing for the software describes it as being a “stealer, clipper and keylogger” written in C#, which can use a webhook, or automated message, to relay stolen data, known as a log, to a user’s Discord channel. The clipper capability refers to the malware’s ability to replace any crypto wallet addresses pasted into a clipboard, swapping in an attacker-designated address, to route a victim’s funds there instead.
Cybercriminal groups appear to be paying attention. Two of the groups of attackers that Proofpoint recently saw adopt Stealerium, both of which it classifies as non-major players, switched from using the subscription-based Snake Keylogger, aka 404 Keylogger or VIP Recovery.
Still, the most popular infostealer among the criminal element remains Lumma, which Flashpoint said is tied to five million infected hosts and devices during the first half of this year.
A number of major corporate breaches also begin as infostealer infections, with cybercriminals gathering corporate credentials, including for VPN services, as well as session cookies. This data often gets batched up as a log and sold using automated clouds of logs marketplaces, forums or Telegram channels.