BI.ZONE: cybercriminals steal corporate passwords using open‑source software

BI.ZONE threat intelligence experts uncovered a malicious campaign targeting Russian organizations from different industries. It is aimed at spreading Umbral Stealer, which collects user credentials from infected computers

May 30, 2023

It is noteworthy that the malware source codes are publicly available to anyone on GitHub, an internet hosting service for software development.

To deliver Umbral Stealer to corporate networks, the intruders chose a simple but effective method: phishing emails. They attached ISO files (disc images) with malicious shortcuts. The attackers disguised them as documents named “Raider Plan.” Opening such a shortcut triggered the device compromise.

Umbral Stealer allows threat actors to evade defenses, escalate privileges, collect information about compromised systems, and extract authentication data from such apps as Brave, Chrome, Chromium, Comodo, Edge, Epic Privacy, Iridium, Opera, Opera GX, Slimjet, UR Browser, Vivaldi, Yandex Browser, Roblox, Minecraft, and Discord. Many of these applications may store not only the login data for personal accounts, but also for corporate ones. That is, it may enable threat actors to gain initial access to their target organizations or, for example, use email access for internal spear phishing or further business email compromise.

The stealer does not use traditional means of communication with the command and control infrastructure. Instead, it uses the Discord messenger.

Today, many advanced threat actors, including ransomware operators, leverage valid accounts to access corporate networks. One of the main sources of such authentication material is stealer logs. These logs may be bought or even obtained for free from many underground forums and markets. That’s why we are seeing more and more stealers emerge.

Oleg Skulkin

Head of Cyber Threat Intelligence, BI.ZONE

To reduce the risk of such attacks, it is necessary to improve email security: vulnerable email is the preferred distribution vector for operators of malware such as Umbral Stealer. It is important for a company to have the capacity to stop a cyberattack at any stage of its development. Thus, we recommend delegating the detection, response, and prevention of cyber threats to security event monitoring experts.