Mysterious custom malware used to steal 1.2TB of data from million PCs

Experts spotted a new mysterious malware that was used to collect a huge amount of data, including sensitive files, credentials, and cookies.

Researchers from NordLocker have discovered an unsecured database containing 1.2-terabyte of stolen data. Threat actors used custom malware to steal data from 3.2 million Windows systems between 2018 and 2020. The database includes 6.6 million files and 26 million credentials, 11 million unique email addresses, and 2 billion web login cookies, researchers pointed out that 22% of the web login cookies were still valid at the time of the discovery of the archive.

Cookies are a precious source of intelligence about victims’ habits and could be abused to access the person’s online accounts of the victims. 

NordLocker experts speculate the malware campaign leveraged tainted Adobe Photoshop versions, pirated games, and Windows cracking tools.

“This is a Trojan-type malware that was transmitted via email and illegal software. The software includes illegal Adobe Photoshop 2018, a Windows cracking tool, and several cracked games.” reads the report published by NordLocker. “The data was collected from 3.25 million computers. The malware stole nearly 26 million login credentials holding 1.1 million unique email addresses, 2 billion+ cookies, and 6.6 million files.”

The experts pointed out that custom malware used to amass such kind of data is very cheap, easy to find online and customizable. Multiple posts on the Dark Web advertise similar malware that is available for as little as $100.

Nearly 26 million login credentials (emails, login credentials) were stolen from almost a million websites, the data were categorized into 12 different groups based on the type of website.

The 26 million login credentials held 1.1 million unique email addresses, NordLocker found, for an array of different apps and services. These included logins for social media, online games, online marketplaces, job-search sites, consumer electronics, financial services, email services, and more.

Most of the stolen files (50%+) were text files, some of them containing software logs, passwords, personal notes, and other sensitive information. More than 1 million images have been stolen by the malware, including 696,000 .png and 224,000 .jpg files. Experts found over 650,000 Word documents and .pdf files in the archive.

The database was discovered because a hacker group accidentally revealed its location. Experts promptly notified the cloud provider hosting the database and the data were already added to the popular data breach notification service HaveIBeenPwned to allow people to check if their data have been exposed.

The top 10 targeted apps are as follows:

1. Google Chrome (19.4 million entries)
2. Mozilla FireFox (3.3 million entries)
3. Opera (2 million entries)
4. Internet Explorer/Microsoft Edge (1.3 million entries)
5. Chromium (1 million entries)
6. CocCoc (451,962 entries)
7. Outlook (111,732 entries)
8. Yandex Browser (79,530 entries)
9. Torch (57,427 entries)
10. Thunderbird (42,057 entries)

How to protect your data from such kind of malware? Below a list of tips recommended by the expets:

• Install an antivirus software;
• Practice proper cyber hygiene;
• Use strong passwords;
• Download software from trusted sources;
• Block third-party cookies;
• Regularly clean cookies;
• Encrypt your data;
• Store files on an encrypted cloud;
• Use multi-factor authentication.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, custom malware)

[adrotate banner=”5″]

[adrotate banner=”13″]