Hacker Forum Credentials Found on 120,000 PCs Infected With Info-Stealer Malware

Israeli threat intelligence company Hudson Rock has identified credentials associated with cybercrime forums on roughly 120,000 computers infected with information stealers.

The systems were discovered during the analysis of a database of more than 14.5 million machines infected with info-stealers, many of which belong to hackers, Hudson Rock says.

The various types of information that these malware families harvest from the infected systems, the researchers say, can be used to discover the real identities of the hackers.

Such data typically includes credentials for additional online accounts (including email addresses and usernames), auto-fill data (consisting of personal information such as names, addresses, and phone numbers), and system information.

Roughly a month ago, Hudson Rock outed a black hat hacker known as ‘La_Citrix’, who infected his own computer with an information stealer. The hacker had used the same computer to perpetrate intrusions at hundreds of companies.

Hudson Rock’s analysis of the computers infected with information stealers revealed that the cybercrime forum ‘Nulled.to’ has the highest number of compromised users, at more than 57,000. ‘Cracked.io’ and ‘Hackforums.net’ round up the top three.

The analysis also showed that ‘Breached.to’ is the cybercrime forum with the strongest user passwords, while Russian website ‘Rf-cheats.ru’ has some of the weakest passwords.

However, the passwords that users of cybercrime forums employ are, overall, stronger than those used on government websites, Hudson Rock says. Compared to military websites, these forums have fewer ‘very weak’ passwords (passwords shorter than six characters with only one type of characters).

The top five countries with infected hackers were Tunisia (7.55% of total infections in the country), Malaysia (6%), Belgium (5.14%), Netherlands (4.8%), and Israel (4.43%).

Most of the infections were attributed to the Redline info-stealer. Numerous Raccoon and Azorult infections were observed as well.

“Info-stealer infections as a cybercrime trend surged by an incredible 6000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage,” Hudson Rock notes.

Commenting on Hudson Rock’s findings, Tim West, head of threat intelligence at WithSecure, pointed out in an emailed comment that the large number of hackers infected with malware is likely the result of their lack of expertise.

“This is likely a symptom of the fact that now through an underground products and services economy as detailed here, many threat actors are now able to turn to cybercrime without great levels of expertise, or a full understanding of how malicious tools, that are proliferating wildly between such actors, work,” West said.  

“This is particularly true for budding cybercriminals who have not yet developed a full understanding or appreciation of operational security practice, or even have begun to fully operate in a criminal manner,” he added.

Related: ‘Sys01 Stealer’ Malware Targeting Government Employees

Related: New Information Stealer ‘Mystic Stealer’ Rising to Fame

Related: New ‘Atomic macOS Stealer’ Malware Offered for $1,000 Per Month